Malware Analysis Report

2025-06-16 06:50

Sample ID 220814-x8ap2aheer
Target 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
SHA256 67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8
Tags
discovery asyncrat njrat nyan cat own05 evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8

Threat Level: Known bad

The file 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe was found to be: Known bad.

Malicious Activity Summary

discovery asyncrat njrat nyan cat own05 evasion persistence rat trojan

Windows security bypass

AsyncRat

njRAT/Bladabindi

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Windows security modification

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-14 19:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-14 19:30

Reported

2022-08-14 19:33

Platform

win7-20220812-en

Max time kernel

41s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 600

Network

N/A

Files

memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/860-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/860-63-0x0000000000DD0000-0x0000000000E3A000-memory.dmp

memory/860-64-0x0000000000970000-0x00000000009D0000-memory.dmp

memory/1324-65-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-14 19:30

Reported

2022-08-14 19:33

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

Signatures

AsyncRat

rat asyncrat

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Windows Security Host.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Windows Security Host.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bUbgLLbXggXJOIgPS = "C:\\Users\\Public\\Documents\\ePfJhYNKJdKcYgdNe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dOdgYchdWbPgLRhLV = "C:\\Windows\\Microsoft.NET\\Framework\\KOMNbVTeabKcNgPOV\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dOdgYchdWbPgLRhLV = "C:\\Windows\\Microsoft.NET\\Framework\\KOMNbVTeabKcNgPOV\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aINLTZgMPVaMPYOJY = "C:\\Windows\\Cursors\\OPSZXUZIgTafXTVhZ\\svchost.exe" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aINLTZgMPVaMPYOJY = "C:\\Windows\\Cursors\\OPSZXUZIgTafXTVhZ\\svchost.exe" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bUbgLLbXggXJOIgPS = "C:\\Users\\Public\\Documents\\ePfJhYNKJdKcYgdNe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
File opened for modification C:\Windows\Cursors\OPSZXUZIgTafXTVhZ C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1684 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1684 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3948 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1684 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1684 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1684 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1860 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1684 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 1684 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 1684 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3964 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" -Force

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe" -Force

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 198.23.212.148:1011 4Mekey.myftp.biz tcp
US 198.23.212.148:7707 4Mekey.myftp.biz tcp
US 198.23.212.148:8848 4Mekey.myftp.biz tcp
US 8.238.20.126:80 tcp
US 13.89.179.8:443 tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 8.253.208.120:80 tcp

Files

memory/3948-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/3948-135-0x0000000000E10000-0x0000000000E7A000-memory.dmp

memory/3948-136-0x00000000080B0000-0x0000000008654000-memory.dmp

memory/4280-137-0x0000000000000000-mapping.dmp

memory/4968-138-0x0000000000000000-mapping.dmp

memory/2500-139-0x0000000000000000-mapping.dmp

memory/3948-140-0x0000000008B40000-0x0000000008BD2000-memory.dmp

memory/4280-141-0x0000000002F70000-0x0000000002FA6000-memory.dmp

memory/4280-142-0x0000000005B00000-0x0000000006128000-memory.dmp

memory/3948-143-0x0000000008AF0000-0x0000000008AFA000-memory.dmp

memory/2500-144-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

memory/4968-145-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/2500-146-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/1352-147-0x0000000000000000-mapping.dmp

memory/1352-148-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/1352-150-0x0000000005620000-0x00000000056BC000-memory.dmp

memory/4280-151-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/4968-154-0x000000006F290000-0x000000006F2DC000-memory.dmp

memory/2500-153-0x000000006F290000-0x000000006F2DC000-memory.dmp

memory/4280-155-0x000000006F290000-0x000000006F2DC000-memory.dmp

memory/2500-156-0x0000000006110000-0x000000000612E000-memory.dmp

memory/4280-152-0x0000000006E70000-0x0000000006EA2000-memory.dmp

memory/4280-157-0x00000000081F0000-0x000000000886A000-memory.dmp

memory/2500-158-0x0000000006E80000-0x0000000006E9A000-memory.dmp

memory/4968-159-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/2500-160-0x0000000007100000-0x0000000007196000-memory.dmp

memory/1860-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 45c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1 321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256 250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA512 3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 45c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1 321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256 250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA512 3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

memory/1860-164-0x0000000000E30000-0x0000000000E9C000-memory.dmp

memory/4968-165-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

memory/4280-166-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

memory/4280-167-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce7628577f459b34d4bc5b2a580202d9
SHA1 d451433443db205c9acc801edbdf62cfe5ace0c4
SHA256 1d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00
SHA512 2041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce7628577f459b34d4bc5b2a580202d9
SHA1 d451433443db205c9acc801edbdf62cfe5ace0c4
SHA256 1d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00
SHA512 2041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7

memory/2164-171-0x0000000000000000-mapping.dmp

memory/3204-172-0x0000000000000000-mapping.dmp

memory/3332-173-0x0000000000000000-mapping.dmp

memory/3876-174-0x0000000000000000-mapping.dmp

memory/3876-175-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 45c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1 321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256 250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA512 3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce7628577f459b34d4bc5b2a580202d9
SHA1 d451433443db205c9acc801edbdf62cfe5ace0c4
SHA256 1d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00
SHA512 2041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7

memory/3204-178-0x000000006F290000-0x000000006F2DC000-memory.dmp

memory/2164-179-0x000000006F290000-0x000000006F2DC000-memory.dmp

memory/3332-180-0x000000006F290000-0x000000006F2DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c82cf1c6aa26d40abdeeadbb40ee274f
SHA1 ba84ebbfb299a025fdf72b870ade6ca8f92d4d7e
SHA256 eaf94aad23b2ae56eaaa92f70af26a18e65bfae7557816bbaf31d088b40e4774
SHA512 3375627bd362023c4b4f3e5921f84d09acc19039cae40bc571cd047f3b754676fca7924f7086d58df619aaa544eed27bc9eb2e198925c001fbc2a1aa37bd8331

memory/3964-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

memory/3964-185-0x0000000000840000-0x00000000008BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 645b77bae91e157f44a6125e63f17621
SHA1 3de7404d827ec5f76a7743a58a818e0d11d42839
SHA256 90f5e018d2c2dd966909518503616a8561bcb3ce2363f76c0b1d7027b738c99c
SHA512 06d289e410eb2daf3f850263e02f5ca87a21c5ecba1fb89324ae626286445a9c28909e88a6ee47ae827a255fb06972af38bd866b6ba1f1cceb23f80a3a1ba495

memory/3180-187-0x0000000000000000-mapping.dmp

memory/3252-188-0x0000000000000000-mapping.dmp

memory/5100-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 645b77bae91e157f44a6125e63f17621
SHA1 3de7404d827ec5f76a7743a58a818e0d11d42839
SHA256 90f5e018d2c2dd966909518503616a8561bcb3ce2363f76c0b1d7027b738c99c
SHA512 06d289e410eb2daf3f850263e02f5ca87a21c5ecba1fb89324ae626286445a9c28909e88a6ee47ae827a255fb06972af38bd866b6ba1f1cceb23f80a3a1ba495

memory/4396-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

memory/2192-195-0x0000000000000000-mapping.dmp

memory/4260-193-0x0000000000000000-mapping.dmp

memory/2192-196-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

memory/3180-198-0x000000006F2E0000-0x000000006F32C000-memory.dmp

memory/3252-199-0x000000006F2E0000-0x000000006F32C000-memory.dmp

memory/5100-200-0x000000006F2E0000-0x000000006F32C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04d7c019f2a21d6a052315c67ae92b73
SHA1 09fabcc020d869b88c33e4cbd9a2481a678c2149
SHA256 374fad38ab27622163272b1394fe89af17ba0abfdd60adda00948799099a1d69
SHA512 3a2925593ff5835638d78a598468fb36a539af56367d21775f6a5153d260e0938b233824d1887415730f1f300e6ef4a52628d0f99dd9c37f472be6bed7e1f7b9

memory/1876-202-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 08c3094ab3b3f48e26b6298c5b536fc0
SHA1 eb3354a84b4df057d129db893e7da073ce966d9c
SHA256 604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3
SHA512 c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2de185be84dd06c83d961d95773bddd5
SHA1 0f22342d56c7a24b5b976dd423711678157cc659
SHA256 7409fcd778c5258bb100fc2e4b57801326699e8fdc9a571bbd0b7c347c697ce2
SHA512 2aa19ffbccdd0ba50ccbde7f836e8f9e13298d8c2465beae70118eaad9df2a2446632a3c2ff3d09e305d3ac9acc4b01fb436862fff5db446b9f3b1cc2dc03214

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 08c3094ab3b3f48e26b6298c5b536fc0
SHA1 eb3354a84b4df057d129db893e7da073ce966d9c
SHA256 604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3
SHA512 c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656