Malware Analysis Report

2025-06-16 06:50

Sample ID 220814-x8cvdshefj
Target 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
SHA256 67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8
Tags
discovery asyncrat njrat nyan cat own05 evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8

Threat Level: Known bad

The file 67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe was found to be: Known bad.

Malicious Activity Summary

discovery asyncrat njrat nyan cat own05 evasion persistence rat trojan

AsyncRat

njRAT/Bladabindi

Windows security bypass

Async RAT payload

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-14 19:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-14 19:31

Reported

2022-08-14 19:33

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 600

Network

N/A

Files

memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/1776-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/1776-63-0x0000000000A10000-0x0000000000A7A000-memory.dmp

memory/1776-64-0x0000000000940000-0x00000000009A0000-memory.dmp

memory/1176-65-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-14 19:31

Reported

2022-08-14 19:33

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

Signatures

AsyncRat

rat asyncrat

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Windows Security Host.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe = "0" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Windows Security Host.exe = "0" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dOdgYchdWbPgLRhLV = "C:\\Windows\\Microsoft.NET\\Framework\\KOMNbVTeabKcNgPOV\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aINLTZgMPVaMPYOJY = "C:\\Windows\\Cursors\\OPSZXUZIgTafXTVhZ\\svchost.exe" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aINLTZgMPVaMPYOJY = "C:\\Windows\\Cursors\\OPSZXUZIgTafXTVhZ\\svchost.exe" C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bUbgLLbXggXJOIgPS = "C:\\Users\\Public\\Documents\\ePfJhYNKJdKcYgdNe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bUbgLLbXggXJOIgPS = "C:\\Users\\Public\\Documents\\ePfJhYNKJdKcYgdNe\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dOdgYchdWbPgLRhLV = "C:\\Windows\\Microsoft.NET\\Framework\\KOMNbVTeabKcNgPOV\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
File opened for modification C:\Windows\Cursors\OPSZXUZIgTafXTVhZ C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
File created C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2648 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2648 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4700 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2648 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4112 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 2648 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 2648 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 3596 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Windows Security Host.exe C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
PID 2648 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 2648 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 2648 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

"C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" -Force

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe" -Force

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

"C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 198.23.212.148:1011 4Mekey.myftp.biz tcp
US 198.23.212.148:8808 4Mekey.myftp.biz tcp
DE 51.116.253.168:443 tcp
US 198.23.212.148:8848 4Mekey.myftp.biz tcp
NL 104.80.225.205:443 tcp
US 209.197.3.8:80 tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp

Files

memory/4700-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/4700-135-0x0000000000E10000-0x0000000000E7A000-memory.dmp

memory/4700-136-0x0000000007BE0000-0x0000000008184000-memory.dmp

memory/3640-137-0x0000000000000000-mapping.dmp

memory/4364-138-0x0000000000000000-mapping.dmp

memory/1264-139-0x0000000000000000-mapping.dmp

memory/3640-140-0x0000000002BF0000-0x0000000002C26000-memory.dmp

memory/4700-141-0x00000000086F0000-0x0000000008782000-memory.dmp

memory/4364-142-0x0000000004D10000-0x0000000005338000-memory.dmp

memory/4700-143-0x0000000008680000-0x000000000868A000-memory.dmp

memory/4364-144-0x0000000004900000-0x0000000004922000-memory.dmp

memory/3640-146-0x0000000005520000-0x0000000005586000-memory.dmp

memory/4364-145-0x0000000004CA0000-0x0000000004D06000-memory.dmp

memory/3292-147-0x0000000000000000-mapping.dmp

memory/3292-148-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 75233a6594888de3589ac556a04d36d8
SHA1 490efc1af779c47849ba20ca53a4dbac9e08185d
SHA256 fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80
SHA512 c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

memory/3292-150-0x0000000004FD0000-0x000000000506C000-memory.dmp

memory/1264-151-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

memory/4364-152-0x0000000006980000-0x00000000069B2000-memory.dmp

memory/1264-154-0x000000006F510000-0x000000006F55C000-memory.dmp

memory/4364-153-0x000000006F510000-0x000000006F55C000-memory.dmp

memory/1264-155-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/3640-156-0x000000006F510000-0x000000006F55C000-memory.dmp

memory/4364-157-0x0000000007320000-0x000000000799A000-memory.dmp

memory/1264-158-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

memory/4112-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 45c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1 321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256 250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA512 3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 45c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1 321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256 250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA512 3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

memory/4112-162-0x0000000000280000-0x00000000002EC000-memory.dmp

memory/1264-163-0x0000000006F50000-0x0000000006F5A000-memory.dmp

memory/1264-164-0x0000000007160000-0x00000000071F6000-memory.dmp

memory/1264-165-0x0000000007110000-0x000000000711E000-memory.dmp

memory/3640-166-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/1264-167-0x0000000007200000-0x0000000007208000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7fdf90b67f8cbf73576916b8c8e52c4a
SHA1 5f4f980bc588da96a20eb036d1baa0c97608b39c
SHA256 a5e3603b1e18a84d07f4b8b5daa9b3044478851fb31866cb9632085b3715cf5f
SHA512 3e013f73a4f04f332c7de5d7b6a8b0a86a6d7b53ad44cbcb63d9500595b51c5cb03fad0b09e08f03bee997eaa7e8a545b2f7d1c88155c783c52194dbf29bfbdd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fae21fdf345a02de4e0b47e6d1913def
SHA1 aa070f144df9d6215544fd819d4fbcce640fa2fd
SHA256 2082491942967a95af9f6a95797d1d5b7405279e533c9204ed0f659319ccebbf
SHA512 47a224ded73949de65b33b69ddad2af4fd448514a61dd2c7c65ae4cf420df3d1d064f430d33bf5e91ce3f109ccf7c6812b97664301a1eb3adf232051dec77303

memory/3508-171-0x0000000000000000-mapping.dmp

memory/2560-172-0x0000000000000000-mapping.dmp

memory/1228-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fae21fdf345a02de4e0b47e6d1913def
SHA1 aa070f144df9d6215544fd819d4fbcce640fa2fd
SHA256 2082491942967a95af9f6a95797d1d5b7405279e533c9204ed0f659319ccebbf
SHA512 47a224ded73949de65b33b69ddad2af4fd448514a61dd2c7c65ae4cf420df3d1d064f430d33bf5e91ce3f109ccf7c6812b97664301a1eb3adf232051dec77303

memory/2560-175-0x000000006F1E0000-0x000000006F22C000-memory.dmp

memory/3508-176-0x000000006F1E0000-0x000000006F22C000-memory.dmp

memory/1228-177-0x000000006F1E0000-0x000000006F22C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 91513bcd6b4b71d4f236fe09d6d65b2b
SHA1 1039b63c5e7717c2e12e34d0f7f8ae335b5b3348
SHA256 7bc80576bfe3f176501215ebff231d41848ac491be475019d790db4c018afc0d
SHA512 3cd823011f78640527f1129ac50530c41017037202381cbe3117f98ec6e10fa3ff3d4f9d9d1806747ca7eb24490746301a1998fdcef8f305db2417bd9d23e2d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74d6f87e498e81fca1a4269f390b7bcd
SHA1 9a24c9148aed0597b151131380fa9a62b92552b5
SHA256 b1054009c262fd3f59bd6bfb867c888567a6a3135dcb8ad52927ff84dc235441
SHA512 a219c5abdb292b39cd03fb4bac9080a00efe9043f069b777773991dcab7de175588fa0432e80bf9c1d600eeb5d7e5bcf19e2bfdcfda69225d37ee388c7a58fcb

memory/4536-180-0x0000000000000000-mapping.dmp

memory/4536-181-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 45c7bb96cf62c09ce2a2f8c141e2e3cc
SHA1 321e2b8e15dd6713163da84b775d5f7ccf68a067
SHA256 250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214
SHA512 3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

memory/3596-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

memory/3596-186-0x0000000000E50000-0x0000000000ECC000-memory.dmp

memory/3180-187-0x0000000000000000-mapping.dmp

memory/524-188-0x0000000000000000-mapping.dmp

memory/1376-189-0x0000000000000000-mapping.dmp

memory/1072-190-0x0000000000000000-mapping.dmp

memory/1072-191-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

MD5 fd4064ae04a7f4f8636454fcd7f77b00
SHA1 3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2
SHA256 b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5
SHA512 60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74d6f87e498e81fca1a4269f390b7bcd
SHA1 9a24c9148aed0597b151131380fa9a62b92552b5
SHA256 b1054009c262fd3f59bd6bfb867c888567a6a3135dcb8ad52927ff84dc235441
SHA512 a219c5abdb292b39cd03fb4bac9080a00efe9043f069b777773991dcab7de175588fa0432e80bf9c1d600eeb5d7e5bcf19e2bfdcfda69225d37ee388c7a58fcb

memory/524-194-0x000000006EED0000-0x000000006EF1C000-memory.dmp

memory/3180-195-0x000000006EED0000-0x000000006EF1C000-memory.dmp

memory/1248-196-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 08c3094ab3b3f48e26b6298c5b536fc0
SHA1 eb3354a84b4df057d129db893e7da073ce966d9c
SHA256 604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3
SHA512 c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 08c3094ab3b3f48e26b6298c5b536fc0
SHA1 eb3354a84b4df057d129db893e7da073ce966d9c
SHA256 604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3
SHA512 c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

memory/1376-199-0x000000006EED0000-0x000000006EF1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2de04ee27889e0be8a2fe130e280f8ed
SHA1 8e89965b55bd01025cdb8baf27e66f65f9bbf289
SHA256 569f30c8de816c9835b918fe31962d87fd27c56fa7d158c395eb2dd2c498bf08
SHA512 8177bd1a78008ca54ceae4399649df6c7b8710f262262344d55d540abd35cad0e7d28090d907103733bce53ca12161f0c75e739422e8975c3c3bb141a530cb6e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60b041825c4ade5da8170194e91d3451
SHA1 6c155faf22e9beaca63b42f1f836ccaa36a120a5
SHA256 b661761c6d20317e336864da6e61716f345c3e6f25129792b0fc71f536db7ca8
SHA512 959b2eae4d84f5424362e7df6b8e764a1360aac933be05695aff08d2016f3d22c9497f00c3023715755eb9d78645e7dd08983808d97beccf2e41b0ea0df9be1f