Malware Analysis Report

2024-09-22 23:58

Sample ID 240430-nqlvxaba72
Target Evolution X.rar
SHA256 fbc84db3ad1984dc7b5d035c914f889de3455fbf1de87bc01e80c201e29bfb70
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbc84db3ad1984dc7b5d035c914f889de3455fbf1de87bc01e80c201e29bfb70

Threat Level: Known bad

The file Evolution X.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

StormKitty

StormKitty payload

AsyncRat

Async RAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-30 11:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 11:36

Reported

2024-04-30 11:45

Platform

win7-20240220-en

Max time kernel

359s

Max time network

363s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2276 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2276 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1972 wrote to memory of 2188 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2188 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2188 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2188 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2188 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2188 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2188 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2188 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2188 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2188 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2188 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2188 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2188 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2188 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2188 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1972 wrote to memory of 2988 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2988 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2988 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2988 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2988 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2988 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2988 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2988 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2988 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2988 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2988 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe

"C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\Default\Extension Scripts\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\Default\Extension Scripts\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_1

MD5 39d2e8fac70e1c953274a8b5be8794a6
SHA1 2e2ad9ab6488530aa7eefc5b90917ebb46954684
SHA256 66e4303b560a580b69c89db2483d76a3f7b29d9849d64060c5198026b02c686a
SHA512 84b64cef85fc4ff5e4ebe526e67281cc92521a989bb34e6705ddbf82554ca04e73c7d06ef53e3e3f11ac3a65d24affc42bac733c7c4e390a16721cd6c7e5e32a

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe

MD5 c8626fa6c87bfc3f50f3e912438160a0
SHA1 27e0cae91282bc8c67637017afe1d101e520c8de
SHA256 377941a7e6fe1be785b0a1cb18f8892d29ea857afdc1dcf2fb8e92bebcef1a26
SHA512 f8256cfecf829a9b41f817176750f95db1692761311d06cdf57527617c1d7df11d4c5d097b251ea8856ed3807cb1f598696bda16925de1170ff458faee3bbe7f

memory/1972-912-0x00000000011F0000-0x0000000001252000-memory.dmp

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\activitie.png

MD5 9e4245f7174a3a48f89e539c7b8b5d42
SHA1 5f3260d1f4a51f71494bd230aecf9aac6ff27c2c
SHA256 5f2fd530bef1ed8e627e445109e953dc42cee0a63d9de79bee0e9a8743013b57
SHA512 6fa73a396f329f81ae1b4130fc8dd8fa564ab542cfdf898754390c5ef8d129df39a363e987f61212f0898fe8c020f8bf79b3c3bdbd33efcda38b26047e7b142c

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\circle_medium.png

MD5 39d679cafee4fd44403b4b7f79d6b864
SHA1 4361917b3d398442907bb30a29dc284282e6b921
SHA256 f2d1e93eadba1e59a3daf204b75a46608ade8a1d35f3004cdc268568c5696098
SHA512 dfc56dc0d84e52c048650c934b95b864d561bd009688a40b6768e85f66bd9ad85fae7ed3bbdec42c8785aedf733a25cfeccff3f1581019d37151b7b092684635

C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\New folder\Resources\icons\appInfo\back_sp.png

MD5 ded58acb44933184c94452ba4b2291ef
SHA1 efb5bcae7d26b45a1f44475fb7f064205b6832b2
SHA256 069463cddfdf419f03997786b1a419a77b158860ccb94f2ff34ea166c513277d
SHA512 5c8f1b6d338a18a38b6e023f3c0e9fc3e91f03bb51f9771491e08cf163b35345fdaf6f732da3ae9b55bc853ef356c8ba2d39c99a2aebfe376b42574789e1f65e

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\next_sp.png

MD5 2879eef49db2af34b6a1ad6a4567c7c6
SHA1 68d246bd8daddf370d1c0111abd79f3a3f300619
SHA256 476f8062361f2e74ff02bdf11031c4c06ca8c0e2091192b6ce9174ba7f5094c5
SHA512 128c18028eeffef4ecea3779108b9e568619628fa833959cb347f9d657aff23d96ffd1c5350a2e3338ac017b4d2430459e937648ebc7ff9bcc7c9374aac2e5b2

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\permission.png

MD5 a183f80262a88f2550650a93c7a4cdd6
SHA1 b86839d0843aaced728c386ad1c990c3b114265c
SHA256 1d71881034a7745e909f6fc5fced06d867ca73a4a797040ab5a7fdf73d2a1dbf
SHA512 d81c87fd4797af587618f02cef106c965d957a6e1dc0854b40886096b3fe40e594927ef73cc74064d4d2afdd65b05d73b2af141e01b8ee91f5f88f2b616a9980

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\receiver.png

MD5 3972dd4ca48ca6d5dac961d0e47b0e40
SHA1 d00f76b340ccf8e6f7df7d7eca01ae81b49c91c0
SHA256 52f23292eeb5ad748c678159ca9b8eaabd4f0217d07c71734121059c69c46320
SHA512 7aa5a07137b2001c309a285f62c9dd26a9154a599203276de050ccdbbcd1fa91079b71b7e31d80ec92796fa33880511282ac16503ad587612787ef77b66cbb04

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\script.png

MD5 ff78d73837ac7ac68858001a3b8a8ce5
SHA1 ec63ae90d5aed81578815e9b4ab794b9ba621ca4
SHA256 18b7971558c1d9f6405c1ae87ed602293f55b321990a86aefcc10395a7a5efd6
SHA512 bfa3a11c5c1cf1380d11684bde2b46dc10e4cf5695ce44cc9916303a3652541b969d8c7aa99fb0772700f10879263ea12d9100a052dd6a0fc484e40a06f1f920

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\service.png

MD5 f0a2ee6297f74e12b99fff1d783fb455
SHA1 b9d108ac33285a116d27360b5af98317b9cfa773
SHA256 f1c05ec6360b4864cb8f331abc4662e32b410e58782895a95117d37b82a0aa5d
SHA512 949bcd3038affbabb9a219be43cfb4a207f77b32724cab5e50014278b184cdfcb0cfe4def37db9234f4a140336361ab59372f19c1cbeef50fb239a0715c4794c

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Blocked.png

MD5 12ef3d6a763b3d43e3d02614f7b4a144
SHA1 411433b4f17b3269c90005cb7f41c9e9858ddb8f
SHA256 2f11edc8106f582f72e5c6754dcb06e5f5bc7f6bbd25bc1655ecce0431f7be95
SHA512 cab1bca92b024d7610e2091e5cce3d9676dcd2fcbf2ce4ef36b5c71a7d325c81876fecc11384d2b243b98c28770d7cb4605e31461f857808cdfdde096bd1c3c9

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Incoming.png

MD5 f7ae5a26c34058d545160d6960d3c126
SHA1 983b537c74195049acdaa3771eb63f76ef8d3c9f
SHA256 718ce2193abe82cfd8d029e7b7e7a4a25704fb33002d7e87c84ac2b0a33d2909
SHA512 d0c317641935f071366ebc09951c5ded8835a13203aed379dab77a1ac54a2fa5f1efa37a605f8898a616206f1e683ca84c9c3f6fe332682a1c6a72fd5714700c

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Missed.png

MD5 1c32b88f10e8101ad8a7f9c9fb311e3c
SHA1 3f0c66004ecf2e7d6e804b20b289923c7053ad73
SHA256 b3e86fbc7874675ab43088efd5597ee982f9464f15499858cf6ddb0bc2130bff
SHA512 5e5d47154ffc259431fffb4420c283ac108c06a7730c37e6855fe793cfb67294af128caf68ecefcd723e0afc58db81b06ec321e52bb377c6dc848efa16ed978f

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\NA.png

MD5 d8b30fd8a14aebcc5ae727b71ceb17cd
SHA1 5235a00ec6c8fe1f9d4f049a80884660726e90b4
SHA256 386dfa3f0725a6850bff2e24e4c70d8ff533dbc6adc5fef0627f2e1a8392a0cf
SHA512 b989cfd2be75b11c9675af3f7ee2ab53f7dab294a3c5ed480c5189eb5265979bc70d8721f2a34e3c2123148e90b3f781a7da50845d64545745ba448147364c9e

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Outgoing.png

MD5 34d680f02d9e0eab65c54deed9258150
SHA1 eec63ec416a352c082635bffe003cfb676551810
SHA256 f718b98e91d4e5f0d18993d83a0db9a807e7b219ea654a6fe3faa6d76521cc3e
SHA512 a676c91f813ddff0b6c5f01c266b3245cf30387c0fde0dad11550a78127716b96e9b68ffa05651232854969560a064db0a642e4854ae9d09778018e6d2755067

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Rejected.png

MD5 c1e3333e177a6881abf165baf55d22e4
SHA1 bf70bc0d95e62378873c113a7ceaee8168de5226
SHA256 4b4397f741555320fce23c8918dde1ef8f0c0da796b4d5e8664e2e56be8d8aa0
SHA512 48879bfaad20eb813093a1c2d2bba146df8fc3b2eb2ccc536d96dfb7d46bf03a5b681fc29094fc4faef9adfb3be14951a5bbca51d975bb331834d1f22ddf7649

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim1.png

MD5 4f29b588c44d6b5d21939bd57a6fff1a
SHA1 30b080e3f2f26b07d043ccaf1e25b4bf974aa48f
SHA256 db101839bb798c88eb2ff514640e476533865908a196d5761a33f4773f2bc025
SHA512 d2a2a8755e093932efc122c9c5b245667a8d0bccbe3317dd8c13cc952a1e3c2f2e8c5d5d395a7bb933ff214a46ea77ff5c71af87e376658dcd7220109dcb5834

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim2.png

MD5 382a6caa225a610330a79f0213bca2cd
SHA1 5acafe1524b9ab20378e80f2b9aa6663fcea01b9
SHA256 1ee8e717797f4705ecb3645f3a3ee5405ad75d8bed15d43b3e606ed95daf934d
SHA512 51f3af34e0cc34a3692aeca3ec5e57974751d8d821770223e1d235156a426ddc069817007609483308de5195b5dbad6b4697728ea83ff93c1095f48a2b3f60fe

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim3.png

MD5 c0ff0c8ee7d7c5c14ef83b48fe69e92d
SHA1 77fcf0ef57bb3724a885fcb579248757a53e5226
SHA256 b408298521fd271cc6cd9123802846c6ac2d41620aed97545f5e318f6ead81f7
SHA512 42b3970cf99bd5f2e237a82e939c648f631e6ee890ef63f714138c1fc7c1a137741ac500ee33ffb282177bf2995ac30896a7e1ffa88337db784226b4ff146ee0

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim4.png

MD5 ec0707b64b8c6d32f4740743d13e065c
SHA1 8930b1b82becaf2a6c75155ccce8d75e7c9b627d
SHA256 129db0fcace46b29e2d67e0423c6cb213b8c5906982677e2ddfc0060e40e6455
SHA512 1538011d99f974dbe1988850b4ccf891fade493839e0f57c323e53f179d03438c9a911a299495c27ff6d165ddf9cf12dc4f4e156709e423aa7bf50d8ea54c098

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim5.png

MD5 afcb6f9a22a7f5fb654ba2b36f96b3ec
SHA1 07bc71c52a3bd723e34c40e39a72e4fa6d2e3d9c
SHA256 0ed6cf1ef846602bf4793ca91feae2f9d9fc108e39504b654418eb7ba9d1d696
SHA512 2fd9dd2848c5d82368b590ee7640929ebce56c5e4cc5c779618677f5fc8ad788d1845697ea8e136a52135bdfb4c680ac64f54bbdeee3bfa3006e754ca4498672

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim6.png

MD5 c88e43e93a7b7a0946689275e2629b11
SHA1 633318fa6e28bbe2d27737661c08585763faf179
SHA256 aac83bfc296a320ec4f3f8f494fdab94a10fc74334bd8e4acd64762c21a7728f
SHA512 87f217d316f626cc551b816d089c27ba37343f3654767875bb6d834af677020a9bc85f27b4501e41d203a475e95b9c2de816fb64b5b9189eed095f45c6bf1b97

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim7.png

MD5 756cdfc19bf8633f9ded6c836ab5d863
SHA1 fcfc1d50e8fea608a363fd7b9650cfee261856a8
SHA256 247ea0a041009a7587ae464bd045e50dc28a0f5772eb27b61ce114c5f7ce7ff9
SHA512 fd77f58837d8a33c8ebf7eeb4a1b17f86302c4fce91f926e19d25fda13d011b517808963cd2c332090d4bd94a838da77934bcf4b8f8aacebfaa530247463deac

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim8.png

MD5 76bee06d8d1cc8acf977bb590a090c69
SHA1 8f8f6fe2537fc8d8d400ef3b0e8169da373e5afe
SHA256 c650c4112d5454129ac5735366843e35d137d324481ccdd77949f555ebffa91a
SHA512 8081e143b0da81cabb5783bbb5f5392faf0b2e05f6ba3a9c4dc241475e1e5da1a7d4794ef0e229d87833bd71dc5c1e4b343e7dc9280d17186b2e6370dfa34f79

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Voicemail.png

MD5 2f7287e820262563d3a0d137b8382123
SHA1 978cc6ed786985865de6b9e5384eb2ec44f5c17a
SHA256 38d7b401d6778827bcae850161754cee3378fe74137aff86768acc69462d6a45
SHA512 e763067e22b56a5b4bd7a9c14b5a0a60518cd516e63e8e789a4fea79669db365557aed2176bf3b2434442d9c7e9693718fb81983dfa7ce84b9ae5cb9bcc7939c

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-down\chevron-down.png

MD5 f1e45e8eaa18be7d8d97ae07d6545671
SHA1 b2bd0bd96d359196217570373da82a5aafe651c7
SHA256 9eebf2d2b7b8483410291b120bed61d3139efca8ca55e98dfa8f87d04ce700d1
SHA512 6df5316ee348d8ad44580444c9612c5ac5c9b59cfc87394c0b10161f1f02b05a5174bca63a1d1331e89300f6b5ea2008a09a405a8ab914ba806a385ed0662026

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-down\menu-down.png

MD5 8ad7e434ca478e8c83e7b6a44d95393f
SHA1 81c6ad0266e373af89a7c3072ff659efe6f85951
SHA256 edc89587b5aeb6737c3cbbb085a35cb9856e432d3325f54f2cede8a4caffc79c
SHA512 c8f23c130a0ebe8af73ec8323a29263055af77781f90f16ecbeb469ac475d07b17ab10c2139452c220225a5f2c226014ca05b057b3289f22d3e123e78b73c256

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-up\chevron-up.png

MD5 b7c9860c1be88f695efddd43c09e8c28
SHA1 1af1afac5a696b5113f2f4c2fd5cec5560805214
SHA256 6604b2002840576e90478005b71620469c5bb9910f1fbd7d251226f907753274
SHA512 edb696649730bcab44c364700b6eb50fae95cd385bc493adf96a02ed9c26087a6e9a0d5077de91d2f12645f797fda21de77698ad72a4902a58613be4134d6576

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-up\menu-up.png

MD5 c563c3e96c9a195d3a22b2ba8ee06269
SHA1 c0e8867c0beb0451051f2f22e87c47844e639e7f
SHA256 0ff7698ecce74398c91262df58ed38ce08f6f20a3950f98b45a2bb83292e52d0
SHA512 9fcc4cbc48011a7d56684fc3cf6f1eb3f65bb743032a8619c517b82633db9ac0a2b862a872720752b849a2b28cee7ef438d7210dc7d49485833655755fdc42f9

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\add.png

MD5 3a29d5d2b02ed26c7fa848927244f849
SHA1 1dfb167c8d542a9360c4dc69e3549917918caaaf
SHA256 230ba6fb592ae2b9193d8ace77b42c31cbb73155cafea27754c4acb48a317211
SHA512 f0ff35f569fcb36735202c57f21d202484d3f4ac536ccf8f7aade20bbcd78df4672f3b3d10298a1d615d093a46059b0a1ffae46f664c8cd06bcf4177eafc8bfb

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\load--.png

MD5 275cd0c6e94093122c1d9bf798a59595
SHA1 5aeec73d5e8690b23ee6f6a7f54801ec2767741e
SHA256 eb625974aaa633d402c63010dc65eb46405d4cf87863e0c0d055e0670d61928e
SHA512 7d34eb6aeb3e707d337f2bdcd9c395126bc412c62e539d84d25aa20804135a24fd7b9c129a3098bc1e4fbccb4194c6584e37480ea9e3214f0688a623b9c68b8d

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\load.png

MD5 769bd0effef3a662538184fdb0a7b3f3
SHA1 15e81346abd59837b6a4dd5ab8b883753c9c8abf
SHA256 e6f78d8c251a235982a13af6ada1a6467a800ef65164c49a99bdb0dd45f3675b
SHA512 0604828f1b32bcaef086c8767ff73564168a880186c645d4484374932ea7f3bff7e5281338ae5f39250839876dd79c4a740bc2f8d3ee1494280c64e52f7e7bee

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\package.png

MD5 4710d7bf0ba20c3b042fc05cfb6cb8a6
SHA1 2bf81fae69d73fd708a799817e56013a3a10242c
SHA256 0478c5f93d66da8cdbedb1b34ffa3d7afccae3c27537413ae8e62aa3f992ad54
SHA512 09b4e40ce41c68b709f26665e26843296e4e554b6f4dc2cedbf941658740180177c6d5958abe20b8ca744ea2ffcb557456de34f420535031c638185ac43d476f

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\remove.png

MD5 bcd13e8a7852d00452d511db402e9474
SHA1 f0aba30fb9f7c3e7159cb497d76d5b5c14af7cb0
SHA256 19768e1b5775a427cf79f788c488929fc15adf8a1043b263de503e1f5af6bef7
SHA512 fe4a42138e5b2dfde6759e9913bdf533033334db82143204bfd960cbd665fe181b93d231d67c5a3282e61234c245c5ef2f988a23cac9439379424e9dfd19e88e

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\1.png

MD5 6cfe559e3c3f1a8624a9c9076cf500e1
SHA1 2cf971c99c3b8ff87754b78cc6a6391ddec24168
SHA256 b643dbe6fcdf11f6a517dd7394331b8c6ca15ef838e7883e50fdbcc2505a0b25
SHA512 2e8d3e5ca8d046ddf2971cdfda91ee611373a2b15f3db4f376c93c93ddbc1f97ef01dd848c16cf547e8cde08924760596fc8a0ad69ad5e7b14ce1db485fe0082

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\2.png

MD5 a4ba3bd97cfa9bfb8388f5b315696384
SHA1 8f12f5bf51df63fc21c7d66b659a5c3be58fd942
SHA256 457dd8abb98d607e6809c814b213777eacd2c1dc351919357c4862cdefed36f7
SHA512 65d4b90ab895f6ed6bd339ccfc93cd22bf339eb58f5fa9af5d7d89d35137d399340fc07477cc5b99995b4a8ab95a9f50422c4f52a40e5ea6dccfe20b5c3cb8a6

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\3.png

MD5 52c17ceff4ea75d063e5e7dcefec5473
SHA1 5b062311953bfd84331270cdc4a2390f9612434f
SHA256 216f19a322f2ba4f50e30db47016136468e21d51d8379db43c62cd6d36966c9f
SHA512 3c398ebd3111bfc3e209692c0431c3a3fa89c789ba403b8ace8f6880268558a1671d3492bf1bd840913a253972b1b1fbf3df62ae5c3550fda60a6549f05ca995

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\4.png

MD5 c76ca4ba7aae6b0aae06e50f15009b7d
SHA1 b3dcf5013725525cae1ae233d4577a083b3ec451
SHA256 641d78c3450fd94271d0f156f0956718f0804a14b57fac44c951ece2d8b18f2c
SHA512 2d88e6068d9f8953de658fe952e4586cee74d4be9a5facf3b25fb6ab4a889bf439ae3788bf27ef38c3a462e8ab2e87ba5578e4f42b031c889e72abcf4543dabc

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\5.png

MD5 1c54b1a43ed15f6d3bcc4cd2789fda0e
SHA1 6e83dadd6d5a030538cac4e2169df327ea13a8ac
SHA256 ed9681cf798e2620e93500eab21d3d1a9edeb802fe2c0855fb6a81a5c9eabcc7
SHA512 58d37e4459b2dee81e15cc1ef83dd1ba0f3e6c35efaba168bf5ab916446a83d4ec8e68188cf554e379c1be5f26b9a234ff0dff6cf4b82acd3196c1d7860b74c8

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\image-filter-hdr.png

MD5 8d10e8f9a8b4f3de299d992d73b8a0d7
SHA1 ebf82fb52693be3c025792783a6ce02b600816ad
SHA256 b907208a8b84d0dda93f86ce6bb4b4d6869839da93b2534f505610136aec51c4
SHA512 985404bbd2e5ae3c5a1fcbb9d2ded5a438d1f92094042be1d76a5263102679c0d613a851a87ebcbc596211168f3b1cf9f3dd924cc437ddceb86066254ad5fc98

C:\Users\Admin\Desktop\New folder\Resources\icons\location\map-3d.png

MD5 7d44946b311460379f08df156f14ed35
SHA1 4fe333886764b18734ec139f25bf11b223a852dd
SHA256 7bb66375cb6e71c856f5196c198c342228f2af0dd1af2291488ce04627f5fd7a
SHA512 29aa37d139da24a330ea69f4851b8416e9e36c46289248b8f469f3986e30481fe56f9e88d2373a97381038e1dd00e673f0dfecadd3c216072047c736b3b50c34

C:\Users\Admin\Desktop\New folder\Resources\icons\location\save.png

MD5 64dbca2ec0ccef55f4da183175ae8b04
SHA1 6bb43c0178eb63930846bc8ad1ec23da9fcef28b
SHA256 973cd5173652b1007effe2e5f5c8d6f70c16182645a0db80aa03992b7c5c9069
SHA512 5042996a5262199a159bc9f9dabc6c55f2e5a83cb1c1dc13ea2efda6fcb8999f69a3dcc19f3556fa5935dbbd57590a11d79dd0a60e3c893aa43ce895fcbd3fea

C:\Users\Admin\Desktop\New folder\Resources\icons\location\sensor.png

MD5 c231c15e4df21e982f524b1842f7037c
SHA1 0f932a79cbb8a544ad3eb2eaafa98de6f272bb84
SHA256 2140fcf2254a3cf27fbe06e50a188912a81f58c1cbdc192e131ada7637b6ba76
SHA512 50dc401921996d079724d0df4342f71a2ab404eb941b8178e3d104f562baab53305221b5c81a88a003b27282a369c8ca22e40b8736109c417c39f58cee969bcb

C:\Users\Admin\Desktop\New folder\Resources\icons\location\vector-point.png

MD5 e9273a65b37eb6802a80fb602b2227ed
SHA1 7bef7ff8fc666b840958cfae137d2aceee858407
SHA256 7a6d55c8e40c2f5da88c63ba5b6b07c4b49a5c9f944381a9d29b9f4ac4e4991f
SHA512 cc627e446a07aee1340d5981d3c37601b7dea426c7b606413489419922259e357d400784949e846387c86d1fd13a03ba8c7bf873d0f185170d35fb3a02a4861c

C:\Users\Admin\Desktop\New folder\Resources\icons\map-marker\map-marker.png

MD5 e045634bf3b5050e50fa2bb95362b0b6
SHA1 72e13344f42f659284022bb482c58ac1ad5938e2
SHA256 e9454e376326a6d3fb1e44ccb172af4148ba1de68be694cebefac2bfa17cb382
SHA512 d654b1fcd82868af87dc1b7b83f2d9f21227582d69b64a10b9fb36bfb6c602ef34cad149fe4e59b68a5ba26e160cd0b7e3e50f74a6394741b97b7371d87921e3

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\add.png

MD5 d135ccf98d1df7d305ecf2e373c9d515
SHA1 7408b8989606fde2757352331f722e32da6ee9d3
SHA256 9cb62f468f3544bb6c9863f9d25f68c9dd943e00f994ce2edc1ca228de614497
SHA512 a2bd72635cc8b97b97b1d41b9e53598442abe998287123e68c9623a0f65641b46f9658240acc405bf994bdc0c5a7ec304d649b524642ab2a235e7572ca9cdc49

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applications.png

MD5 8288912e7ef0697d5b9b47df9ec3f697
SHA1 59431ddaa33826176dd3dc32aabf5e75c2b30e94
SHA256 618ed6aae4e652f30e36a18a89576b2370d20163e4757185b0b404b22615b914
SHA512 3255878c4692910fea7ae8e6386ae2a25bee38d1d8777ae5bf90b7026862251813aa54bc0882f27dc9371684a9802904f1927046400b55f3b4edacf0cd544073

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applyall.png

MD5 e10717ca16abe054f58ccc0c81d935c6
SHA1 b377885124ad51f78892ea315952d178dc5303b4
SHA256 7393ad169328261c9152c29a6457ffb20d26c9f1b0ee1c0cf0d0c235f6948378
SHA512 db2b49552579d9db389ab61486cced7d324b777498b49dd4fe81628c6a067e97946804cf1bb61ced8deed6c4886f7797d7efc1859d7b3516fa8fd282e7be7a0e

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applyhome.png

MD5 3fc07b29482a08ab224f1b5a6bd8bfde
SHA1 1161147ca4b109e0d26c1f781ffb32c00c00e156
SHA256 ab0673fd0e5b8b968c853c4cb7dd347d007bc75bb721e92091a5bff4b337f8ee
SHA512 6d35b126ecb5fef9d325ae2268a9106ba79a1e5853b820b332b828dfbbee334c4f4e3a4038abc90c9f6675b270f0d1b79f585d8bfcda9d63bd49b16750eabdc9

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applylock.png

MD5 1cd4879870318eb6559fd4cc2c0f84e4
SHA1 5fdceb3aa78c207436aadc6686fd3f8d0faa7725
SHA256 a527b8f2b1738a4b5b0453d369bb6226d6c584e28c4f2d48738954ccb34e27ec
SHA512 6c60801dd0849bbccf6976de775dfeb2e1cfa8254f44b2028f3948bee4107765d38c38b6ef78b1a3fc1c967d27b4a243e323a98389bbccbd181b9cf414b650be

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\calls.png

MD5 532dfe6d28793e0a35698982af47b0d9
SHA1 a5b6ac134d031d7b3b9df06446c3521f3408738a
SHA256 ade313e1fab705979196a104b0908cc65ed72c75a624ebf15deb7a34973bf88e
SHA512 34dfc0b30b9fabe10e25507fc7f04d71b6dfb8277d8792b696da33b12f89789c16f9acdd490037c7e53c0b2dd262ad9c6be8806a31128098afcd6ea8a982e2c1

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\camera.png

MD5 e222baddb9113874a6ff251e5823f86f
SHA1 cdc6f65965fac09f51f1a5d96f3109c881910baa
SHA256 a109cd5b45f3a8653099848b7463e9e7654d15209e958980b91d4574c00fd729
SHA512 e2a6d7d7698ca734f5cc39de8c1537a5373d7d043cc4f5308456db666b368393f8141c1feec17eba96b296ad46a8147931a0fa597fa1df9f25abe7dd1f7f6e87

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\check.png

MD5 341e1c79fdd5531b4aececb6c236ccd4
SHA1 60009a3e20d1b0508665d9ff8da226acf86e2283
SHA256 4b33e212b4d0f2555cf98584e93228b061d21235fe83dfe7bf09466b50a53c63
SHA512 058d626533354274a029f6a8f358c12997422a0a4f3558fe104f25e32a6f4b413aa2b36bb5d781778a54ac46ce4986c34d3e6d3449db6b46e01adfc7abc48c7b

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\contacts.png

MD5 eba8c3863a08f7eab20ce13792746c17
SHA1 1a01efb75f198e20a851a1875f9dc35e550bb3a2
SHA256 eee6b3c6c606f0a993098b8ec80997b5c756addddd76507122f7d324e9459572
SHA512 fa43a34c35dc1168454a60f4a3740b830b91c1b7e1eb616aec087f86e5569c7745364a3ab14c65abc13802aae31378020137cec9ef3fb1bb13e5be82903358ba

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\copy.png

MD5 33337c48641ec4bd80f7815d47fbfb8c
SHA1 1b8177cc2c46cb5aa1a3cd724eb87ecce58412fb
SHA256 8a3d3477970dc8e482fa1a8bd3dbb8333bced812fe88ce38e1de97ffc96dd92f
SHA512 eb2174dd57a2032da028251f01745f401666957dee3431da08fa0ce28beef26065823fef66c2fe79dafe5a892f34ff09c52a7d07586336b5a8ca038ffb272217

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\cut.png

MD5 889683417dd102907f836af702a81fd6
SHA1 4809a601835568e46a3e76f7d1e9498f9c144f96
SHA256 2dd2914de21ae261dadf9823fa896b82aa43a6bb1722e677330b21342f230773
SHA512 63edf36af725f1c10231aa59dc5f4f2f5f39dff276bc632c54d0e1a2cc886633314c473a1e97dff71eb0d7b1fca8be6f5deb1e730484e4d2119d993af5d44d76

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\delete.png

MD5 a37667007f3158025c4b78bb814d37f5
SHA1 eec5d574a8a3afe6ca2ad14665f910fb663bee11
SHA256 c2f6b7eb3b86c892aa26d8ed7038e046136ff0bc6433cda1680a268072b09d71
SHA512 24059d2f9ede38dbbb4024dbba8edcb60d9138e5db24668cd2bf9614a426e005771c32c3da8275550d7e9716e94311031218d82c55fcbf93b7bc3ebef06b481a

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\details.png

MD5 53d7101dccb7495d83c8487cb60dc26b
SHA1 d6c0f654cc066d5f4bbbfe142c23bd96572e6e77
SHA256 6b14677d178176fe08ca37594a4a23e426a7ed1717cf34be1e2301da4c933a8a
SHA512 3778bfe4f59b1e3cc7ad242ae211d05b224888bff657626721d9a99016c014ba1537591446bcccf57339095c02d11a6f40e783db454862f4b9da56d08e738f5f

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\dex.png

MD5 a67dfe0cd6ba986e7bc7c31d28e29c72
SHA1 4ecf10fc2602e654716545c6769c1c83edd46c6d
SHA256 6a92316519e696b7c1f2b3868907b02d1592b09b1f08a2b27ceb3d35470e0f27
SHA512 3dfce0c9d53024c2ece9c8450a8b21180a95be3139cf075e0126a25343bbac8e3f4cd5b5db3c353999cfa34e07af662365e5025c7ea18b5d00f0c0a4c0f2ad8d

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\download.png

MD5 7321be4f1e3cabcae54f9ecd98c3981c
SHA1 b1d86e553e097d82ea9e310181f462e840bd70de
SHA256 a308673258fed464865141cbd7e5df80118494a29e680fb24b125d55cb47dee5
SHA512 c4b0ff094aa63f6cfaaf2920583904e010d34d34d42865f884f2dd9f526ebb9fd6cfbee2d066f68c7d0917330412d4f15cd4500c65b0bd4a29a545656ec1b3f1

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\files.png

MD5 9d90a8c9995377029ecf1c025ee5712f
SHA1 9efe00669c39fa2e166d55708693d530f22b753b
SHA256 afa4bd81f01a88a8a5f03c81f94bc5915996be61d23ff84c0bb03632c5e77121
SHA512 a2644ae109a29cc68d989dfac5977c212ba5b4e1ba0a4af8c29f5cad92af1a1931ffaf905b0f2cbf256837a7ed46c60abc6fdd17a61e0d02b8643ad21d37ff4f

C:\Users\Admin\AppData\Local\143f6ef05d4b70098a25c793996fdc2b\Admin@BISMIZHX_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\CabAD49.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarAE97.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 beb076e7b1d5125cab08e325d5172c3f
SHA1 2a14678fc7d4c47f4cc9f3755134f1c029e67fe0
SHA256 25d92e547b84fae0f7c814e469688d03c91b4fcbcaf75393aa05d91d5e0e3088
SHA512 00f7d252f054b140af922b9c048e37c4a7ff007dd9ff076cb1450193a226f1496b1c0da8c59665632af5104fec763a71f1764aac028fb4e1638bbf596f2dd527

C:\Users\Admin\AppData\Local\ccac48237312720d29afef297021ea7e\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 11:36

Reported

2024-04-30 11:42

Platform

win10-20240404-en

Max time kernel

132s

Max time network

144s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-30 11:36

Reported

2024-04-30 11:45

Platform

win10v2004-20240226-en

Max time kernel

320s

Max time network

310s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
File created C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 948 set thread context of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\user.bin C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New folder\payload.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\payload.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\payload.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\payload.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\payload.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\ApkFix.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3292 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2928 wrote to memory of 3588 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 3588 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 3588 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3588 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3588 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3588 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3588 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3588 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2928 wrote to memory of 3984 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 3984 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 3984 N/A C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3984 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3984 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 948 wrote to memory of 5016 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 5016 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 5016 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 1836 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 1836 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 1836 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3984 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3984 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3984 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 3160 N/A C:\Users\Admin\Desktop\New folder\Evolution X.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\New folder\ApkFix.exe

"C:\Users\Admin\Desktop\New folder\ApkFix.exe"

C:\Users\Admin\Desktop\New folder\Evolution X Loader 2.exe

"C:\Users\Admin\Desktop\New folder\Evolution X Loader 2.exe"

C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe

"C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe"

C:\Users\Admin\Desktop\New folder\Evolution X.exe

"C:\Users\Admin\Desktop\New folder\Evolution X.exe"

C:\Users\Admin\Desktop\New folder\payload.exe

"C:\Users\Admin\Desktop\New folder\payload.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3160 -ip 3160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1136

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\Default\Extension Scripts\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\Default\Extension Scripts\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_1

MD5 39d2e8fac70e1c953274a8b5be8794a6
SHA1 2e2ad9ab6488530aa7eefc5b90917ebb46954684
SHA256 66e4303b560a580b69c89db2483d76a3f7b29d9849d64060c5198026b02c686a
SHA512 84b64cef85fc4ff5e4ebe526e67281cc92521a989bb34e6705ddbf82554ca04e73c7d06ef53e3e3f11ac3a65d24affc42bac733c7c4e390a16721cd6c7e5e32a

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\Desktop\New folder\SpyNote.exe.WebView2\EBWebView\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\Desktop\New folder\ApkFix.exe

MD5 6a2d3396308a2a108ab0dfa0b85ead5a
SHA1 91fc16bb8f8ef7c20cb19cc70222bd311ecbfd0e
SHA256 2aa67025e691dffb415246926602198dbcd2a6ab048414aea20e78afc1c647b0
SHA512 338f5b5f5549ea88eda77e978cb073e7ef100c0d735d4d30793c3df551897e030b82ffe52ae9b8f8c4ecb82e15773fa2a7a66862f39dc47bd98b5ea636705139

memory/2444-888-0x0000000000A50000-0x0000000000A6E000-memory.dmp

memory/2444-889-0x0000000005490000-0x000000000552C000-memory.dmp

C:\Users\Admin\Desktop\New folder\Evolution X Loader 2.exe

MD5 1c8df91b4d21f9ec822cc73617e90239
SHA1 62eaadce806eb52d8bcb7ed81707e1d7481ed4d0
SHA256 f4ec48f9b2b994d43e0c1c51c5046bd9599d66940c486a047284d922fb6451d3
SHA512 f3a6d71afd228ef0884ff20ad1dd072cc238ebbcf7bfb01b356b81739c0e444bd3f1b7a3a0363cb55556abae84ee888e75a745d8cdf90146fac8fdc5a3b57ec5

memory/3568-892-0x00000000002A0000-0x00000000002CC000-memory.dmp

memory/2444-893-0x0000000005AE0000-0x0000000006084000-memory.dmp

memory/2444-894-0x0000000005530000-0x00000000055C2000-memory.dmp

C:\Users\Admin\Desktop\New folder\Evolution X Loader.exe

MD5 c8626fa6c87bfc3f50f3e912438160a0
SHA1 27e0cae91282bc8c67637017afe1d101e520c8de
SHA256 377941a7e6fe1be785b0a1cb18f8892d29ea857afdc1dcf2fb8e92bebcef1a26
SHA512 f8256cfecf829a9b41f817176750f95db1692761311d06cdf57527617c1d7df11d4c5d097b251ea8856ed3807cb1f598696bda16925de1170ff458faee3bbe7f

memory/2928-897-0x00000000002A0000-0x0000000000302000-memory.dmp

memory/2444-898-0x0000000005460000-0x000000000546A000-memory.dmp

memory/2444-899-0x0000000005780000-0x00000000057D6000-memory.dmp

C:\Users\Admin\Desktop\New folder\Evolution X.exe

MD5 6c60aa7309bcc78652484574ecd3e16e
SHA1 f1d5e68ee8bc891ebc5d82de90585f50c99c5257
SHA256 8e9b71c519c3e1e0f9161b3d80f11e029da705b2ef3215640cbd563a12fb0510
SHA512 e94d2f2166b1f9b3e9f0e78a86407be500a8e09dc4ca8e4f46929a0ac9c8e220168669d332f475022b0e410909deaddad4dc3ad8b77e45a0634517f4b04b5e8f

memory/948-902-0x0000000000810000-0x0000000001842000-memory.dmp

C:\Users\Admin\Desktop\New folder\payload.exe

MD5 73bfaa50ea3d41155946259920dbb5d8
SHA1 0d5c64ac9095be83fe3029f91a86de326307bdab
SHA256 e0f62a92ad9f17bdef3ba58922a15f344fc43eb09837f6da11ae13257cc3d5bb
SHA512 727099939c0861d77d405e4a0368bea8e6864ad7675f9d91a54a4683bc496cce90c926217bd60aed438440f1a78d965e098eb371f27233af408e6ed806c499fd

memory/2452-905-0x0000000000C10000-0x0000000000C2E000-memory.dmp

memory/948-906-0x0000000006360000-0x00000000063D6000-memory.dmp

memory/2928-908-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/2452-912-0x0000000006B70000-0x0000000006C20000-memory.dmp

C:\Users\Admin\Desktop\New folder\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/2452-913-0x0000000006B30000-0x0000000006B52000-memory.dmp

memory/2452-914-0x0000000008500000-0x0000000008854000-memory.dmp

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\activitie.png

MD5 9e4245f7174a3a48f89e539c7b8b5d42
SHA1 5f3260d1f4a51f71494bd230aecf9aac6ff27c2c
SHA256 5f2fd530bef1ed8e627e445109e953dc42cee0a63d9de79bee0e9a8743013b57
SHA512 6fa73a396f329f81ae1b4130fc8dd8fa564ab542cfdf898754390c5ef8d129df39a363e987f61212f0898fe8c020f8bf79b3c3bdbd33efcda38b26047e7b142c

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\back_sp.png

MD5 ded58acb44933184c94452ba4b2291ef
SHA1 efb5bcae7d26b45a1f44475fb7f064205b6832b2
SHA256 069463cddfdf419f03997786b1a419a77b158860ccb94f2ff34ea166c513277d
SHA512 5c8f1b6d338a18a38b6e023f3c0e9fc3e91f03bb51f9771491e08cf163b35345fdaf6f732da3ae9b55bc853ef356c8ba2d39c99a2aebfe376b42574789e1f65e

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\circle_medium.png

MD5 39d679cafee4fd44403b4b7f79d6b864
SHA1 4361917b3d398442907bb30a29dc284282e6b921
SHA256 f2d1e93eadba1e59a3daf204b75a46608ade8a1d35f3004cdc268568c5696098
SHA512 dfc56dc0d84e52c048650c934b95b864d561bd009688a40b6768e85f66bd9ad85fae7ed3bbdec42c8785aedf733a25cfeccff3f1581019d37151b7b092684635

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\next_sp.png

MD5 2879eef49db2af34b6a1ad6a4567c7c6
SHA1 68d246bd8daddf370d1c0111abd79f3a3f300619
SHA256 476f8062361f2e74ff02bdf11031c4c06ca8c0e2091192b6ce9174ba7f5094c5
SHA512 128c18028eeffef4ecea3779108b9e568619628fa833959cb347f9d657aff23d96ffd1c5350a2e3338ac017b4d2430459e937648ebc7ff9bcc7c9374aac2e5b2

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\permission.png

MD5 a183f80262a88f2550650a93c7a4cdd6
SHA1 b86839d0843aaced728c386ad1c990c3b114265c
SHA256 1d71881034a7745e909f6fc5fced06d867ca73a4a797040ab5a7fdf73d2a1dbf
SHA512 d81c87fd4797af587618f02cef106c965d957a6e1dc0854b40886096b3fe40e594927ef73cc74064d4d2afdd65b05d73b2af141e01b8ee91f5f88f2b616a9980

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\receiver.png

MD5 3972dd4ca48ca6d5dac961d0e47b0e40
SHA1 d00f76b340ccf8e6f7df7d7eca01ae81b49c91c0
SHA256 52f23292eeb5ad748c678159ca9b8eaabd4f0217d07c71734121059c69c46320
SHA512 7aa5a07137b2001c309a285f62c9dd26a9154a599203276de050ccdbbcd1fa91079b71b7e31d80ec92796fa33880511282ac16503ad587612787ef77b66cbb04

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\script.png

MD5 ff78d73837ac7ac68858001a3b8a8ce5
SHA1 ec63ae90d5aed81578815e9b4ab794b9ba621ca4
SHA256 18b7971558c1d9f6405c1ae87ed602293f55b321990a86aefcc10395a7a5efd6
SHA512 bfa3a11c5c1cf1380d11684bde2b46dc10e4cf5695ce44cc9916303a3652541b969d8c7aa99fb0772700f10879263ea12d9100a052dd6a0fc484e40a06f1f920

C:\Users\Admin\Desktop\New folder\Resources\icons\appInfo\service.png

MD5 f0a2ee6297f74e12b99fff1d783fb455
SHA1 b9d108ac33285a116d27360b5af98317b9cfa773
SHA256 f1c05ec6360b4864cb8f331abc4662e32b410e58782895a95117d37b82a0aa5d
SHA512 949bcd3038affbabb9a219be43cfb4a207f77b32724cab5e50014278b184cdfcb0cfe4def37db9234f4a140336361ab59372f19c1cbeef50fb239a0715c4794c

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Blocked.png

MD5 12ef3d6a763b3d43e3d02614f7b4a144
SHA1 411433b4f17b3269c90005cb7f41c9e9858ddb8f
SHA256 2f11edc8106f582f72e5c6754dcb06e5f5bc7f6bbd25bc1655ecce0431f7be95
SHA512 cab1bca92b024d7610e2091e5cce3d9676dcd2fcbf2ce4ef36b5c71a7d325c81876fecc11384d2b243b98c28770d7cb4605e31461f857808cdfdde096bd1c3c9

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Incoming.png

MD5 f7ae5a26c34058d545160d6960d3c126
SHA1 983b537c74195049acdaa3771eb63f76ef8d3c9f
SHA256 718ce2193abe82cfd8d029e7b7e7a4a25704fb33002d7e87c84ac2b0a33d2909
SHA512 d0c317641935f071366ebc09951c5ded8835a13203aed379dab77a1ac54a2fa5f1efa37a605f8898a616206f1e683ca84c9c3f6fe332682a1c6a72fd5714700c

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Missed.png

MD5 1c32b88f10e8101ad8a7f9c9fb311e3c
SHA1 3f0c66004ecf2e7d6e804b20b289923c7053ad73
SHA256 b3e86fbc7874675ab43088efd5597ee982f9464f15499858cf6ddb0bc2130bff
SHA512 5e5d47154ffc259431fffb4420c283ac108c06a7730c37e6855fe793cfb67294af128caf68ecefcd723e0afc58db81b06ec321e52bb377c6dc848efa16ed978f

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Rejected.png

MD5 c1e3333e177a6881abf165baf55d22e4
SHA1 bf70bc0d95e62378873c113a7ceaee8168de5226
SHA256 4b4397f741555320fce23c8918dde1ef8f0c0da796b4d5e8664e2e56be8d8aa0
SHA512 48879bfaad20eb813093a1c2d2bba146df8fc3b2eb2ccc536d96dfb7d46bf03a5b681fc29094fc4faef9adfb3be14951a5bbca51d975bb331834d1f22ddf7649

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Outgoing.png

MD5 34d680f02d9e0eab65c54deed9258150
SHA1 eec63ec416a352c082635bffe003cfb676551810
SHA256 f718b98e91d4e5f0d18993d83a0db9a807e7b219ea654a6fe3faa6d76521cc3e
SHA512 a676c91f813ddff0b6c5f01c266b3245cf30387c0fde0dad11550a78127716b96e9b68ffa05651232854969560a064db0a642e4854ae9d09778018e6d2755067

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\NA.png

MD5 d8b30fd8a14aebcc5ae727b71ceb17cd
SHA1 5235a00ec6c8fe1f9d4f049a80884660726e90b4
SHA256 386dfa3f0725a6850bff2e24e4c70d8ff533dbc6adc5fef0627f2e1a8392a0cf
SHA512 b989cfd2be75b11c9675af3f7ee2ab53f7dab294a3c5ed480c5189eb5265979bc70d8721f2a34e3c2123148e90b3f781a7da50845d64545745ba448147364c9e

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim1.png

MD5 4f29b588c44d6b5d21939bd57a6fff1a
SHA1 30b080e3f2f26b07d043ccaf1e25b4bf974aa48f
SHA256 db101839bb798c88eb2ff514640e476533865908a196d5761a33f4773f2bc025
SHA512 d2a2a8755e093932efc122c9c5b245667a8d0bccbe3317dd8c13cc952a1e3c2f2e8c5d5d395a7bb933ff214a46ea77ff5c71af87e376658dcd7220109dcb5834

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim2.png

MD5 382a6caa225a610330a79f0213bca2cd
SHA1 5acafe1524b9ab20378e80f2b9aa6663fcea01b9
SHA256 1ee8e717797f4705ecb3645f3a3ee5405ad75d8bed15d43b3e606ed95daf934d
SHA512 51f3af34e0cc34a3692aeca3ec5e57974751d8d821770223e1d235156a426ddc069817007609483308de5195b5dbad6b4697728ea83ff93c1095f48a2b3f60fe

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim3.png

MD5 c0ff0c8ee7d7c5c14ef83b48fe69e92d
SHA1 77fcf0ef57bb3724a885fcb579248757a53e5226
SHA256 b408298521fd271cc6cd9123802846c6ac2d41620aed97545f5e318f6ead81f7
SHA512 42b3970cf99bd5f2e237a82e939c648f631e6ee890ef63f714138c1fc7c1a137741ac500ee33ffb282177bf2995ac30896a7e1ffa88337db784226b4ff146ee0

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim4.png

MD5 ec0707b64b8c6d32f4740743d13e065c
SHA1 8930b1b82becaf2a6c75155ccce8d75e7c9b627d
SHA256 129db0fcace46b29e2d67e0423c6cb213b8c5906982677e2ddfc0060e40e6455
SHA512 1538011d99f974dbe1988850b4ccf891fade493839e0f57c323e53f179d03438c9a911a299495c27ff6d165ddf9cf12dc4f4e156709e423aa7bf50d8ea54c098

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim5.png

MD5 afcb6f9a22a7f5fb654ba2b36f96b3ec
SHA1 07bc71c52a3bd723e34c40e39a72e4fa6d2e3d9c
SHA256 0ed6cf1ef846602bf4793ca91feae2f9d9fc108e39504b654418eb7ba9d1d696
SHA512 2fd9dd2848c5d82368b590ee7640929ebce56c5e4cc5c779618677f5fc8ad788d1845697ea8e136a52135bdfb4c680ac64f54bbdeee3bfa3006e754ca4498672

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim6.png

MD5 c88e43e93a7b7a0946689275e2629b11
SHA1 633318fa6e28bbe2d27737661c08585763faf179
SHA256 aac83bfc296a320ec4f3f8f494fdab94a10fc74334bd8e4acd64762c21a7728f
SHA512 87f217d316f626cc551b816d089c27ba37343f3654767875bb6d834af677020a9bc85f27b4501e41d203a475e95b9c2de816fb64b5b9189eed095f45c6bf1b97

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim8.png

MD5 76bee06d8d1cc8acf977bb590a090c69
SHA1 8f8f6fe2537fc8d8d400ef3b0e8169da373e5afe
SHA256 c650c4112d5454129ac5735366843e35d137d324481ccdd77949f555ebffa91a
SHA512 8081e143b0da81cabb5783bbb5f5392faf0b2e05f6ba3a9c4dc241475e1e5da1a7d4794ef0e229d87833bd71dc5c1e4b343e7dc9280d17186b2e6370dfa34f79

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\Voicemail.png

MD5 2f7287e820262563d3a0d137b8382123
SHA1 978cc6ed786985865de6b9e5384eb2ec44f5c17a
SHA256 38d7b401d6778827bcae850161754cee3378fe74137aff86768acc69462d6a45
SHA512 e763067e22b56a5b4bd7a9c14b5a0a60518cd516e63e8e789a4fea79669db365557aed2176bf3b2434442d9c7e9693718fb81983dfa7ce84b9ae5cb9bcc7939c

C:\Users\Admin\Desktop\New folder\Resources\icons\call-logs\sim7.png

MD5 756cdfc19bf8633f9ded6c836ab5d863
SHA1 fcfc1d50e8fea608a363fd7b9650cfee261856a8
SHA256 247ea0a041009a7587ae464bd045e50dc28a0f5772eb27b61ce114c5f7ce7ff9
SHA512 fd77f58837d8a33c8ebf7eeb4a1b17f86302c4fce91f926e19d25fda13d011b517808963cd2c332090d4bd94a838da77934bcf4b8f8aacebfaa530247463deac

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-down\chevron-down.png

MD5 f1e45e8eaa18be7d8d97ae07d6545671
SHA1 b2bd0bd96d359196217570373da82a5aafe651c7
SHA256 9eebf2d2b7b8483410291b120bed61d3139efca8ca55e98dfa8f87d04ce700d1
SHA512 6df5316ee348d8ad44580444c9612c5ac5c9b59cfc87394c0b10161f1f02b05a5174bca63a1d1331e89300f6b5ea2008a09a405a8ab914ba806a385ed0662026

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-down\menu-down.png

MD5 8ad7e434ca478e8c83e7b6a44d95393f
SHA1 81c6ad0266e373af89a7c3072ff659efe6f85951
SHA256 edc89587b5aeb6737c3cbbb085a35cb9856e432d3325f54f2cede8a4caffc79c
SHA512 c8f23c130a0ebe8af73ec8323a29263055af77781f90f16ecbeb469ac475d07b17ab10c2139452c220225a5f2c226014ca05b057b3289f22d3e123e78b73c256

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-up\chevron-up.png

MD5 b7c9860c1be88f695efddd43c09e8c28
SHA1 1af1afac5a696b5113f2f4c2fd5cec5560805214
SHA256 6604b2002840576e90478005b71620469c5bb9910f1fbd7d251226f907753274
SHA512 edb696649730bcab44c364700b6eb50fae95cd385bc493adf96a02ed9c26087a6e9a0d5077de91d2f12645f797fda21de77698ad72a4902a58613be4134d6576

C:\Users\Admin\Desktop\New folder\Resources\icons\chevron-up\menu-up.png

MD5 c563c3e96c9a195d3a22b2ba8ee06269
SHA1 c0e8867c0beb0451051f2f22e87c47844e639e7f
SHA256 0ff7698ecce74398c91262df58ed38ce08f6f20a3950f98b45a2bb83292e52d0
SHA512 9fcc4cbc48011a7d56684fc3cf6f1eb3f65bb743032a8619c517b82633db9ac0a2b862a872720752b849a2b28cee7ef438d7210dc7d49485833655755fdc42f9

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\load--.png

MD5 275cd0c6e94093122c1d9bf798a59595
SHA1 5aeec73d5e8690b23ee6f6a7f54801ec2767741e
SHA256 eb625974aaa633d402c63010dc65eb46405d4cf87863e0c0d055e0670d61928e
SHA512 7d34eb6aeb3e707d337f2bdcd9c395126bc412c62e539d84d25aa20804135a24fd7b9c129a3098bc1e4fbccb4194c6584e37480ea9e3214f0688a623b9c68b8d

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\add.png

MD5 3a29d5d2b02ed26c7fa848927244f849
SHA1 1dfb167c8d542a9360c4dc69e3549917918caaaf
SHA256 230ba6fb592ae2b9193d8ace77b42c31cbb73155cafea27754c4acb48a317211
SHA512 f0ff35f569fcb36735202c57f21d202484d3f4ac536ccf8f7aade20bbcd78df4672f3b3d10298a1d615d093a46059b0a1ffae46f664c8cd06bcf4177eafc8bfb

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\load.png

MD5 769bd0effef3a662538184fdb0a7b3f3
SHA1 15e81346abd59837b6a4dd5ab8b883753c9c8abf
SHA256 e6f78d8c251a235982a13af6ada1a6467a800ef65164c49a99bdb0dd45f3675b
SHA512 0604828f1b32bcaef086c8767ff73564168a880186c645d4484374932ea7f3bff7e5281338ae5f39250839876dd79c4a740bc2f8d3ee1494280c64e52f7e7bee

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\package.png

MD5 4710d7bf0ba20c3b042fc05cfb6cb8a6
SHA1 2bf81fae69d73fd708a799817e56013a3a10242c
SHA256 0478c5f93d66da8cdbedb1b34ffa3d7afccae3c27537413ae8e62aa3f992ad54
SHA512 09b4e40ce41c68b709f26665e26843296e4e554b6f4dc2cedbf941658740180177c6d5958abe20b8ca744ea2ffcb557456de34f420535031c638185ac43d476f

C:\Users\Admin\Desktop\New folder\Resources\icons\dexloader\remove.png

MD5 bcd13e8a7852d00452d511db402e9474
SHA1 f0aba30fb9f7c3e7159cb497d76d5b5c14af7cb0
SHA256 19768e1b5775a427cf79f788c488929fc15adf8a1043b263de503e1f5af6bef7
SHA512 fe4a42138e5b2dfde6759e9913bdf533033334db82143204bfd960cbd665fe181b93d231d67c5a3282e61234c245c5ef2f988a23cac9439379424e9dfd19e88e

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\1.png

MD5 6cfe559e3c3f1a8624a9c9076cf500e1
SHA1 2cf971c99c3b8ff87754b78cc6a6391ddec24168
SHA256 b643dbe6fcdf11f6a517dd7394331b8c6ca15ef838e7883e50fdbcc2505a0b25
SHA512 2e8d3e5ca8d046ddf2971cdfda91ee611373a2b15f3db4f376c93c93ddbc1f97ef01dd848c16cf547e8cde08924760596fc8a0ad69ad5e7b14ce1db485fe0082

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\2.png

MD5 a4ba3bd97cfa9bfb8388f5b315696384
SHA1 8f12f5bf51df63fc21c7d66b659a5c3be58fd942
SHA256 457dd8abb98d607e6809c814b213777eacd2c1dc351919357c4862cdefed36f7
SHA512 65d4b90ab895f6ed6bd339ccfc93cd22bf339eb58f5fa9af5d7d89d35137d399340fc07477cc5b99995b4a8ab95a9f50422c4f52a40e5ea6dccfe20b5c3cb8a6

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\4.png

MD5 c76ca4ba7aae6b0aae06e50f15009b7d
SHA1 b3dcf5013725525cae1ae233d4577a083b3ec451
SHA256 641d78c3450fd94271d0f156f0956718f0804a14b57fac44c951ece2d8b18f2c
SHA512 2d88e6068d9f8953de658fe952e4586cee74d4be9a5facf3b25fb6ab4a889bf439ae3788bf27ef38c3a462e8ab2e87ba5578e4f42b031c889e72abcf4543dabc

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\3.png

MD5 52c17ceff4ea75d063e5e7dcefec5473
SHA1 5b062311953bfd84331270cdc4a2390f9612434f
SHA256 216f19a322f2ba4f50e30db47016136468e21d51d8379db43c62cd6d36966c9f
SHA512 3c398ebd3111bfc3e209692c0431c3a3fa89c789ba403b8ace8f6880268558a1671d3492bf1bd840913a253972b1b1fbf3df62ae5c3550fda60a6549f05ca995

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\5.png

MD5 1c54b1a43ed15f6d3bcc4cd2789fda0e
SHA1 6e83dadd6d5a030538cac4e2169df327ea13a8ac
SHA256 ed9681cf798e2620e93500eab21d3d1a9edeb802fe2c0855fb6a81a5c9eabcc7
SHA512 58d37e4459b2dee81e15cc1ef83dd1ba0f3e6c35efaba168bf5ab916446a83d4ec8e68188cf554e379c1be5f26b9a234ff0dff6cf4b82acd3196c1d7860b74c8

C:\Users\Admin\Desktop\New folder\Resources\icons\image-filter-hdr\image-filter-hdr.png

MD5 8d10e8f9a8b4f3de299d992d73b8a0d7
SHA1 ebf82fb52693be3c025792783a6ce02b600816ad
SHA256 b907208a8b84d0dda93f86ce6bb4b4d6869839da93b2534f505610136aec51c4
SHA512 985404bbd2e5ae3c5a1fcbb9d2ded5a438d1f92094042be1d76a5263102679c0d613a851a87ebcbc596211168f3b1cf9f3dd924cc437ddceb86066254ad5fc98

C:\Users\Admin\Desktop\New folder\Resources\icons\location\map-3d.png

MD5 7d44946b311460379f08df156f14ed35
SHA1 4fe333886764b18734ec139f25bf11b223a852dd
SHA256 7bb66375cb6e71c856f5196c198c342228f2af0dd1af2291488ce04627f5fd7a
SHA512 29aa37d139da24a330ea69f4851b8416e9e36c46289248b8f469f3986e30481fe56f9e88d2373a97381038e1dd00e673f0dfecadd3c216072047c736b3b50c34

C:\Users\Admin\Desktop\New folder\Resources\icons\location\save.png

MD5 64dbca2ec0ccef55f4da183175ae8b04
SHA1 6bb43c0178eb63930846bc8ad1ec23da9fcef28b
SHA256 973cd5173652b1007effe2e5f5c8d6f70c16182645a0db80aa03992b7c5c9069
SHA512 5042996a5262199a159bc9f9dabc6c55f2e5a83cb1c1dc13ea2efda6fcb8999f69a3dcc19f3556fa5935dbbd57590a11d79dd0a60e3c893aa43ce895fcbd3fea

C:\Users\Admin\Desktop\New folder\Resources\icons\location\sensor.png

MD5 c231c15e4df21e982f524b1842f7037c
SHA1 0f932a79cbb8a544ad3eb2eaafa98de6f272bb84
SHA256 2140fcf2254a3cf27fbe06e50a188912a81f58c1cbdc192e131ada7637b6ba76
SHA512 50dc401921996d079724d0df4342f71a2ab404eb941b8178e3d104f562baab53305221b5c81a88a003b27282a369c8ca22e40b8736109c417c39f58cee969bcb

C:\Users\Admin\Desktop\New folder\Resources\icons\location\vector-point.png

MD5 e9273a65b37eb6802a80fb602b2227ed
SHA1 7bef7ff8fc666b840958cfae137d2aceee858407
SHA256 7a6d55c8e40c2f5da88c63ba5b6b07c4b49a5c9f944381a9d29b9f4ac4e4991f
SHA512 cc627e446a07aee1340d5981d3c37601b7dea426c7b606413489419922259e357d400784949e846387c86d1fd13a03ba8c7bf873d0f185170d35fb3a02a4861c

C:\Users\Admin\Desktop\New folder\Resources\icons\map-marker\map-marker.png

MD5 e045634bf3b5050e50fa2bb95362b0b6
SHA1 72e13344f42f659284022bb482c58ac1ad5938e2
SHA256 e9454e376326a6d3fb1e44ccb172af4148ba1de68be694cebefac2bfa17cb382
SHA512 d654b1fcd82868af87dc1b7b83f2d9f21227582d69b64a10b9fb36bfb6c602ef34cad149fe4e59b68a5ba26e160cd0b7e3e50f74a6394741b97b7371d87921e3

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\add.png

MD5 d135ccf98d1df7d305ecf2e373c9d515
SHA1 7408b8989606fde2757352331f722e32da6ee9d3
SHA256 9cb62f468f3544bb6c9863f9d25f68c9dd943e00f994ce2edc1ca228de614497
SHA512 a2bd72635cc8b97b97b1d41b9e53598442abe998287123e68c9623a0f65641b46f9658240acc405bf994bdc0c5a7ec304d649b524642ab2a235e7572ca9cdc49

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applications.png

MD5 8288912e7ef0697d5b9b47df9ec3f697
SHA1 59431ddaa33826176dd3dc32aabf5e75c2b30e94
SHA256 618ed6aae4e652f30e36a18a89576b2370d20163e4757185b0b404b22615b914
SHA512 3255878c4692910fea7ae8e6386ae2a25bee38d1d8777ae5bf90b7026862251813aa54bc0882f27dc9371684a9802904f1927046400b55f3b4edacf0cd544073

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applyall.png

MD5 e10717ca16abe054f58ccc0c81d935c6
SHA1 b377885124ad51f78892ea315952d178dc5303b4
SHA256 7393ad169328261c9152c29a6457ffb20d26c9f1b0ee1c0cf0d0c235f6948378
SHA512 db2b49552579d9db389ab61486cced7d324b777498b49dd4fe81628c6a067e97946804cf1bb61ced8deed6c4886f7797d7efc1859d7b3516fa8fd282e7be7a0e

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applyhome.png

MD5 3fc07b29482a08ab224f1b5a6bd8bfde
SHA1 1161147ca4b109e0d26c1f781ffb32c00c00e156
SHA256 ab0673fd0e5b8b968c853c4cb7dd347d007bc75bb721e92091a5bff4b337f8ee
SHA512 6d35b126ecb5fef9d325ae2268a9106ba79a1e5853b820b332b828dfbbee334c4f4e3a4038abc90c9f6675b270f0d1b79f585d8bfcda9d63bd49b16750eabdc9

C:\Users\Admin\Desktop\New folder\Resources\icons\menuItems\17\applylock.png

MD5 1cd4879870318eb6559fd4cc2c0f84e4
SHA1 5fdceb3aa78c207436aadc6686fd3f8d0faa7725
SHA256 a527b8f2b1738a4b5b0453d369bb6226d6c584e28c4f2d48738954ccb34e27ec
SHA512 6c60801dd0849bbccf6976de775dfeb2e1cfa8254f44b2028f3948bee4107765d38c38b6ef78b1a3fc1c967d27b4a243e323a98389bbccbd181b9cf414b650be

C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2444-1252-0x00000000082B0000-0x00000000082BA000-memory.dmp

memory/2444-1253-0x0000000008300000-0x0000000008312000-memory.dmp

C:\spynote_platform\platformBinary32\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\spynote_platform\platformBinary64\bin\server\Xusage.txt

MD5 b3174769a9e9e654812315468ae9c5fa
SHA1 238b369dfc7eb8f0dc6a85cdd080ed4b78388ca8
SHA256 37cf4e6cdc4357cebb0ec8108d5cb0ad42611f675b926c819ae03b74ce990a08
SHA512 0815ca93c8cf762468de668ad7f0eb0bdd3802dcaa42d55f2fb57a4ae23d9b9e2fe148898a28fe22c846a4fcdf1ee5190e74bcdabf206f73da2de644ea62a5d3

C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\System\Process.txt

MD5 ff7497370a8eb1d5bbcb2e44957df511
SHA1 61445ff6b4e3f66d8fdb5b7723c614d4697f5932
SHA256 d528175fe35dcc4572e0dd613aebda6d738d9c6e016f7bf57a77d9ae51d2ea18
SHA512 915dac68f6bb8e313c1966a1077d821a4d3c98636bcc6acde162d3bcf4e56a2de9be68592b2aa490b9ddf4f3be9390d5ebb6b3ce3deca737637cca0d5bafd9ac

C:\spynote_platform\platformBinary64\bin\classes_dex\permissions.xml

MD5 28797aef190c8e76c674f743088d0c6c
SHA1 170c0a9498d59b88e08bce6950676487abae3813
SHA256 beffc391e890f5c7977446713be796b12e501a14b581944a7a6bcd7af2001a45
SHA512 d5e5f42bbb1382591fb617cf45811de47d2965d044d7ca1c27d2f54a40495f57e256aa13f46add787b8639857a50eab131c57ca90e51f870c562d296a89ca4d5

C:\spynote_platform\platformBinary64\bin\classes_dex\manifest.xml

MD5 36dacd1a05ec6bff99d0c2c391b304f2
SHA1 f653df34e89b8f0bd98650f9e24737ac0b7e7f1a
SHA256 062af2963182dc76d373deab5dd0df56825bc0a1850d4c21c69c541e60851c71
SHA512 6d2d49fe2c5670b23a04d9f3dedef11fe0f07c10bde6ab6355f93ec8cf87fe5cf9cf513bfb88bfc0fbe1399d6d7b78106cf91c07864090c11eb5e9bd49dbf95b

memory/948-1942-0x000000000F610000-0x000000001061C000-memory.dmp

memory/948-1943-0x00000000063E0000-0x00000000063FE000-memory.dmp

memory/3160-1944-0x0000000000F00000-0x0000000001F0A000-memory.dmp

C:\Users\Admin\AppData\Local\a595edcc76b2be01ecdbc910faea4e1d\msgid.dat

MD5 07cdfd23373b17c6b337251c22b7ea57
SHA1 68b5193fd0f5308baac9d9eed453a89e6925bcf9
SHA256 ee62de25ccc2b55d3a0495244b246fb97055b6f1c2697d837b8e94976c03756f
SHA512 ad116a58135fd2a60c2837e1dcc37edd6c4c4421ed38c540ac2b867ec0dce56f4d896e8ff7dd8e79f59d88ac22fed5c5cd2fb900eed37414df66a0f037023032

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-30 11:36

Reported

2024-04-30 11:42

Platform

win11-20240419-en

Max time kernel

131s

Max time network

146s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Evolution X.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A