Malware Analysis Report

2024-09-09 18:56

Sample ID 240618-pbry2sxbmq
Target SketchBook_7.1.1.284_Win64.exe
SHA256 8b7da1f1949d348f6082b011185ed0c2702465a442e6fd73d9a908a1ccd842b2
Tags
discovery persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8b7da1f1949d348f6082b011185ed0c2702465a442e6fd73d9a908a1ccd842b2

Threat Level: Shows suspicious behavior

The file SketchBook_7.1.1.284_Win64.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence privilege_escalation

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 12:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 12:09

Reported

2024-06-18 12:12

Platform

win11-20240508-en

Max time kernel

144s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SketchBook_7.1.1.284_Win64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a1909659-0a08-4554-8af1-2175904903a1} = "\"C:\\ProgramData\\Package Cache\\{a1909659-0a08-4554-8af1-2175904903a1}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240618121005.log\" /quiet /norestart ignored /burn.runonce" C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Autodesk\SketchBook\CER\de_DE\thankYou.htm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\CER\fr_FR\thankYou.htm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Es-es\lan_buynow.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\De-de\lan_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ja-jp\lan_fail_purchase.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ko-kr\lan_index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Felt_tip2.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Image_ie8\brush_puck.jpg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\CER\ru_RU\exampleDesc.htm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\CER\ru_RU\senddmpRes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetTextures\Paintbrush 1.tif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ru-ru\lan_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Paint_Splatter_1.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Zh-cn\lan_suc_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Video\copic_color.mp4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Image\loading_bubbles.svg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Image_ie8\distort.jpg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Extra_soft5.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Zh-cn\lan_suc_purchase.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Es-es\lan_suc_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Zh-tw\lan_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IScript8.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetTextures\Brush 1.tif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ja-jp\lan_suc_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ja-jp\lan_index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Es-es\lan_error_no_internet.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Soft_Eraser.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Marker1.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetTextures\Brush 3.tif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Ballpoint1.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Hard_eraser3.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\CER\ko_KR\exampleDesc.htm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ja-jp\lan_fail_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\DIY3.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Soft9.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ko-kr\lan_suc_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Es-es\lan_fail_purchase.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Image\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\CER\pt_BR\thankYou.htm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Zh-cn\lan_error_no_internet.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\ISRT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Abstract_2.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Pencil_4B.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Ko-kr\lan_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\En-us\lan_activate.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\Zh-tw\lan_fail_server.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Felt_Pen.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Medium_Brush.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\Letter_M.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\BrushPresetIcons\[email protected] C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autodesk\SketchBook\Banner\Lang\En-us\lan_fail_activate.js C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI17AA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{790EC520-CCCC-4810-A0FE-061633204CE4} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF6AB00B033D00B2B8.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File created C:\Windows\SystemTemp\~DFF5A3738209630BF2.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI57B2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Installer\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\SketchBookPro.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI667A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF9E8305B4ED0C9C9B.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\SketchBookPro.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFD15F05187CE16D40.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5B3D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b897.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI57B1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E8771745-B470-4EB7-AF2C-D57A8CF60388} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b899.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Installer\e57b892.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF6D66DB7553CFA688.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI66CA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File created C:\Windows\Installer\e57b893.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2CFDDB25D4093A9E.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57b897.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5CE4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b892.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57b893.mst C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SketchBook.exe = "10000" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FBFBB5AE-3CE2-482B-9CDB-DA67F7078007}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9D85DD57-CCA3-4D7E-AA05-5BC205C2882B}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{923DF001-BD30-431A-A889-43D11CF08904}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithList\SketchBook.exe C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SketchBook7.Image.JPEG\DefaultIcon\ = "C:\\Program Files\\Autodesk\\SketchBook\\SketchBook.exe,4" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E7D9436-492E-4290-A935-7D1A6B0D8BEA}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B27F4061-C6CD-42C4-881E-4D1597D0150F}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SketchBook7.Image.PNG\shell\open\command\ = "\"C:\\Program Files\\Autodesk\\SketchBook\\SketchBook.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9AD61BA-AEC0-4217-8311-C0A2ABC3FE7E}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9923E8CC-7323-43FA-B6E3-27371227F89D}\TypeLib\ = "{9795D310-2B39-4E89-B714-C363293FCC6C}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F8CDC9E-DB60-4935-A7ED-A7BE8EB2941B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\Driver\\8\\Intel 32\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEAAAD86-7088-4CE6-9557-3848C0C585BE}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DB3E9637-17D2-4E12-8F5C-A9D94E8703C2} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SketchBook7.Image.BMP\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1634D100-7F17-4DEE-B79B-6B1AA35BF057}\ = "ISetupLogService" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9795D310-2B39-4E89-B714-C363293FCC6C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\Driver\\8\\Intel 32\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SketchBook7.Image.GIF\shell\edit C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D67F0D9-B58C-4E7A-ADF7-CBE625EE76FB}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34A2F43F-B821-4D14-91EE-39B015B8E66E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEAFB994-EE86-4046-8084-E697AC15B9F6} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C8CA19E8-1060-4EA3-86AF-EEE81AD5883A} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C18F0E02-E02F-4402-A8D7-70CABCC01738} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8B91CC3-8EB9-45DD-974A-76914C156A06} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DB7318BB-3098-4AA2-831F-E77AF345D2F3}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8B91CC3-8EB9-45DD-974A-76914C156A06}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SketchBook7.Image.BMP\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ISInstallDriver.InstallDriver.1\CLSID\ = "{8B1670C8-DC4A-4ED4-974B-81737A23826B}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9D3A246-13AD-4CD6-8C3F-ED2BFE13CA72} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{AE8C683F-EC6D-49CD-9B74-A68F8828DEF6}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{9795D310-2B39-4E89-B714-C363293FCC6C}\1.0\FLAGS C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SketchBook7.Image.PSD\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ECEF9E1E-33C3-4AC5-B898-D446A94E6AB4} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB7318BB-3098-4AA2-831F-E77AF345D2F3}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FC196B5-34D2-4D23-B59E-4FA93C229564} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SketchBook7.Image.JPEG C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55E72919-0516-4EFB-AD27-E841798BC170}\ = "ISetupObjectHolder" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D939419-6930-40B0-8D36-729D1631D705}\TypeLib\ = "{9795D310-2B39-4E89-B714-C363293FCC6C}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{573AEDC3-2F32-48F6-8F74-20F004C9D7CB}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{BE0B3F76-166A-4DA5-A97C-318595E3D15C} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2B0FEA2-C453-41F7-9E00-EF1F198DDA68}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C18F0E02-E02F-4402-A8D7-70CABCC01738}\TypeLib\ = "{9795D310-2B39-4E89-B714-C363293FCC6C}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1631C530-502B-4BDA-A564-83AF569AF7A9}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A77E8D8-AFAF-4FED-A41C-DD40295D606F}\TypeLib\ = "{9795D310-2B39-4E89-B714-C363293FCC6C}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SketchBook7.Image.SKBA\shell\open\command\ = "\"C:\\Program Files\\Autodesk\\SketchBook\\SketchBook.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B84EDC85-8F87-4D92-A7DF-67AB94F2C528} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A919CEE5-F305-4FF6-B0B3-561C37AEEF7A}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E60DA5C-4175-4BD1-89C5-577032A931A0}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E928AA96-E054-4F71-B3D0-D1F5CE950348}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C8B91CC3-8EB9-45DD-974A-76914C156A06} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SketchBook7.Image.PXD\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8CA19E8-1060-4EA3-86AF-EEE81AD5883A}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A77E8D8-AFAF-4FED-A41C-DD40295D606F}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SketchBook7.Image.TIFF\shell\edit\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD7C536-BFD8-41FF-826E-D8CED3178B5B}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8B91CC3-8EB9-45DD-974A-76914C156A06}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6E7D9436-492E-4290-A935-7D1A6B0D8BEA}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAB1BAB2-AD26-42EE-B4FE-B62A7AE96F62}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8A77E8D8-AFAF-4FED-A41C-DD40295D606F}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD7C536-BFD8-41FF-826E-D8CED3178B5B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1631C530-502B-4BDA-A564-83AF569AF7A9}\ = "ISetupFileRegistrar" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{257154A2-C292-49AB-9003-D317971F2FF1}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13A2B85158663EA4FA1DF439C23CCD00 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1726C4F-5238-4907-B312-A7D3369E084E}\ProxyStubClsid32\ = "{A1726C4F-5238-4907-B312-A7D3369E084E}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49C1B167-C294-4C76-91C0-88EBF91E88EE}\TypeLib\ = "{9795D310-2B39-4E89-B714-C363293FCC6C}" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\msdt.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4260 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\SketchBook_7.1.1.284_Win64.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
PID 4260 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\SketchBook_7.1.1.284_Win64.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
PID 4260 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\SketchBook_7.1.1.284_Win64.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
PID 2096 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE
PID 2096 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE
PID 2096 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE
PID 1748 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE
PID 1748 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE
PID 1748 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE
PID 696 wrote to memory of 4036 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 4036 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 4036 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 4592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 4592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 4592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 696 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4672 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4672 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\SketchBook_7.1.1.284_Win64.exe

"C:\Users\Admin\AppData\Local\Temp\SketchBook_7.1.1.284_Win64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE

VCREDI~1.EXE /q /norestart

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCREDI~1.EXE" /q /norestart -burn.unelevated BurnPipe.{15AD037F-C8E0-4155-A0B5-D61475C1979F} {12352986-1FA7-4F75-B47D-10F0CF090C43} 1748

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 12153CB9AA11A1EBF6A73D43253596D4 C

C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe

"C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe" -Embedding

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4B376DF5165187FCBC8F1B78250ADE2C

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8C8CAED3D4A044684B0F2CB5DAB9705E E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2157517

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffac1453cb8,0x7ffac1453cc8,0x7ffac1453cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\system32\msdt.exe

-modal "66330" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF793D.tmp" -ep "NetworkDiagnosticsWeb"

C:\Windows\System32\sdiagnhost.exe

C:\Windows\System32\sdiagnhost.exe -Embedding

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4369025852105801235,2738161640031275357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 2.18.66.162:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 2.18.66.162:443 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SketchBook7.1.1-it_IT.mst

MD5 9e4b8a8558665746351dff0ef3322070
SHA1 a58d5439fb37a7903a46690754ff52faef7def2b
SHA256 b804b6afed744919678693032bf3e473d48972ef1b9a3f8e3de47215f66a523c
SHA512 dd58aa5a6bada76243902e154678e492d652c1152e0e17e68a69151d972fcfcccadbc67bc0d2fc052e05506588956677994d22c53205fe15345fcc465009182e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

MD5 bbf0ca03dd0cd02f735b774f5a003b73
SHA1 4a1b145144040c24e37f7df9022bcae8abd93a8a
SHA256 7d77cc504093ed6c787d2633df3f2fb36b37af17d6c8137b6c036fcc42bcc1c0
SHA512 5834a86a951b1c7bbf9cf2898f93e2555d1b5022bb6a429f4643c05a42d4b33020f992f29a2edd0435cbae8d7d6361c572e33ba35711cc856e8756861428f6dc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.xml

MD5 70288031c37142a84aba6d5aaf2c1ad5
SHA1 7be532e56cfe53063c36129a3b7ca9644cab885f
SHA256 701b3895f226cf6ee2a541f8b4e97c799ef8163cd91a73ab9e47ec290c509be6
SHA512 0df9bb09ac142178bb252f5a8407c27de1c2d7c1ddd6ae846ddca9ffa06501ec32da772a2394ac82657a90d21b8387348d23a84eacdd1ac8cc09da52c837904e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\EULA\AdskLicense.ini

MD5 e97b4876b0f17f834c10c6cf0196e1fb
SHA1 747e75a9e5ee2eb7e6babd249cb8ce941215fcf1
SHA256 b5365cce4af20710d2608c1f34cd12f0ed099463acbf60485e265045315c0cdf
SHA512 8fd2d5dbf0d1a52781dac851939b101657468c9e1bdd00a6476be84eafe2f6ec7608f8e4277a8a76053f9cb0d9727df7718c59e5b20faa351a4cf061be27595a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\EULA\English.txt

MD5 7d9389fcacc7c5e23c54458573a0f5dd
SHA1 190def8f74fea0b7aded653e7e54e921478547d6
SHA256 629b1511f22b423ab65375d9f7403f8204ded4d1b8fd41116ddf417af466d9fb
SHA512 4d8dbaeb98e9d051ca529cabb3f53184bad546415b37adca3b4d8228c63782ce8633a5b412c6678c80eef446c51666a41cd82c9dbad2a457f43c5d31328b4bc7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SketchBook.png

MD5 81abb89f15e0482d06a6f6e36d0f410d
SHA1 5cc16807211a17855437382052542a222c846d59
SHA256 14cfbad6429f306f2dfcc03472685f0e4e1dc380b08d21733ef58d856aa1ee8a
SHA512 3bde03c7b4d61ea86c38ba4bc38bf7ca27359cf6e8be9526ea2229a06b30b45cc40d837da6819aa85e5bb1f9c428cf59a92f77aa5f15844aafce976ec81780d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\isscript.msi

MD5 548c56242ddfe76469595a5ebc40a3b9
SHA1 95f270d3ad86310df1d3041a71a6727c49cdb1f2
SHA256 b8e0f598ffe8b4b136c5238da0ff275fa197526ae6ebc1d135abe208be3e747d
SHA512 26bc8d1afbe46796a3b5e97f81a63ea9a7be5b4fb05b67677ec19d053ba7abebced8233399f4f2ef2129294cbaf5a76ee29beca4d42cb542511e11bb2d230c93

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SketchBook7.1.1.msi

MD5 7235db16f16d320d44e13f720b1fd1a7
SHA1 e390d0c5188e9cb44cdcbdb93e3a54fdab2939f2
SHA256 34ba7c3d8d263de62c9a70619179654fa97307dbb816397852f7322129d5fa8a
SHA512 5d1f842455145412627f3313a9621230a325760c4298dba0cd394694c85668cce99a5a8682a1f47800d4ea829ff5c5585404569357d25d859b0333116d5811bf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcredist_x64.exe

MD5 14c4d00dc9dd39ff5b4c34bd02b9bedb
SHA1 c4ac45564e801e1bfd87936cac8a76c5754cdbd4
SHA256 9045134dc85230ee2d3d1d6be0ad3489019af643128d73ff67f95371ceb9b963
SHA512 a2954335b44eb1fe4c98245e73e320008fb667ac80c8e64099376b7801a48ebc06e02ce6e856de904f3c4b3095ed6fef64ec29420118d900dc5d9d8e714b1291

C:\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.be\vcredist_x64.exe

MD5 38410cefc9ef3c7ffc63ac3731658e3d
SHA1 d8638f21d2cfb5d5b89883d8ef0c540dedb85692
SHA256 f351b8e3d5dafb36b7ee16146e66f8ca7ecef751a0c5aaf5356315e9f613fc72
SHA512 d17ce1ec319be3582c4153eceb94e43adb94bc3f5c8bfebb5883cb425fe4a274cfd1a1ce1321c7b9b6a9695c1bc573f0702072a74cca2b932998b8de94e75e6d

memory/4260-122-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Config.Msi\e57b896.rbs

MD5 f32ed0ce2193909e4335bb26ae8e036b
SHA1 492f16aab25fa76e3f5782eef4e608befb33c947
SHA256 711cd02e2f804aafea5210fcd192a1ddc81694a7a2eac62522e4cfa101ea564b
SHA512 ccddafe70db562cd02b9062de2fc0925ec75e2ae0c8bfc71d1fe4246bf3132202c24fc0834f60a18145bd0a01b916b0a5b2aea3d137d87b72d91a2544e082fc6

C:\Users\Admin\AppData\Local\Temp\MSI2075.tmp

MD5 1ac3a7ddcf7e137189101d963557a858
SHA1 11534c7cce541b01d50fa283efbc3cce1504258d
SHA256 1c9fe88fe8410027278ee2a77dc20422d44374bf59ce9ba60a013fbfec2058f8
SHA512 dfc8d02508d9da729e1fadee3a5b1446014b864f4b2c7aeeeacf9d4d667d554e8456313e8f223428b9bc494482074223866e39835af88897326c225f43bb8a4b

memory/4036-158-0x0000000003240000-0x000000000325C000-memory.dmp

C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe

MD5 3d236e66593be77b16a2a3dfec9032aa
SHA1 03a688f7e135188f05fe2259e2c01204f8481936
SHA256 3c0d4b452627532a9d223686c0e0bdc285042da9f8cad4009048988fe705cfde
SHA512 5cb9e5696a1bf87c391946a0ef20ed81720ef52455fa8864d9ecd371077c5f04a94f210a2f98fe3ae3f8668ce611130975fc298559724e4b24faf859c4a94269

C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\_ISRES1033.DLL

MD5 010d9fa7c669eb1637c10c4aa7eca475
SHA1 df89fafbfab0471bea37a7a094216af1a4d1de29
SHA256 67d31223a5af57c533a0063c3873fce74c13fd7fc986b70bbeb6a585b68946e3
SHA512 1e6a1182b167496ec162905fd7b650011e44ed9f0a45d8f9d3a19d863852027c4169ccb005f17455df3a22f956089dc12cf976f0d9ade648b994505f863cf1f0

C:\Users\Admin\AppData\Local\Temp\MSI2364.tmp

MD5 0d1bd6352e9dff52829acb137d4a2676
SHA1 3488ec4059b67b4282ff38ac69609f605be8402a
SHA256 df50c0242690c81b6b1ccc43d7a95a1f2a2c0b964652530e8e7582b0d15a21b3
SHA512 fea48100b2da0f757f13be1c4058cb5607932bcbc1e4c7a21ae646df97cae0272c665b4e7a44ca5b0da616d6eedcfa256529b344febf9913b5af6cf5b6b95a0a

C:\Users\Admin\AppData\Local\Temp\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\String1033.txt

MD5 66a3bf31fc45269b19554785d94f4ea5
SHA1 457d15642a4deab77865f6879a3e5689ace01146
SHA256 90c90e32370b2c2df474397d1673fda5487fbcde615cd66a4535f913613a533a
SHA512 753a867fded076ccf45f5f28cd40cfa9ccb2ef7feed879013b359113e068e61f153c9624bba5cb3cf2444e816a2f6bfb8cdca53fd5c0f030f875864e2b463551

memory/4072-189-0x00000000033C0000-0x00000000033E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\IGdi.dll

MD5 5aca67afa03a9c7f6204591431b1cde9
SHA1 51cd401b7c0449aa40eda31102ccfd5e2159c141
SHA256 cb7b75bdfed1afa37c3b177b2a03d5aa0c5a62a917522e7f6b8edfdf3200400d
SHA512 2a5e36d45148c52b1f1d8d7bb9b45951af2148369cf53f04821591b002d1418b16d3741a39143b4ca80f39f10cdd74aea3fcf5294bec2550b29bc58e1818b4f9

C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\objps8.dll

MD5 b7b39587207b0dbfd5c11745fe34836d
SHA1 d67ee42eb26ce87739a7213cde239e1ef99e969f
SHA256 d6261eb82445ecf2d107cdd12e261ec53c3b31aa0478bb8aab135af53f294833
SHA512 42bd9097ca52284b715a2e2074250f0c01203cc75055e8a763442a4717efee7c40b87d5c6af4fdb73779e9335723298a6de1eb309a9b5114b03f62201870eb4e

memory/4072-179-0x00000000032E0000-0x000000000330F000-memory.dmp

C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IUser8.dll

MD5 223dc0d36a316f8d330bf989a8f7d31e
SHA1 eaf3fef5f498dc0051e250ab6f12f64787f5e383
SHA256 d50c64269d45dca0f52a7722e3bd3fc0390cd1d9b942d6be1b532a414673a328
SHA512 71530ae0fbfa965e2cd98fbb5e33e37dbafc35cb4cfa8aa98c3b2756c4a43039b0edacdeea5841b511b753b0da08b48e957512c57079b79650578d7531e46283

memory/4072-174-0x0000000002FD0000-0x0000000003022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\ISRT.DLL

MD5 2323c2f97c6af3bac2770fd697fd352c
SHA1 5b3438f9781d4ac2c1e60472b604659391b7ba8c
SHA256 59ea3ddc47c53017dd6a4bb066cbb38e2ec7297a9f48c9072fef1e9efd7b5872
SHA512 33a90250afd76045488828a13b34074e2911e4303f7b6ece24708b37ea3c9d122370f61d1c324be75380d6fed5fedf3eace32299522b45d1722547712264b05f

C:\Users\Admin\AppData\Local\Temp\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\setup.inx

MD5 5a1cb08ab81c9d1025ea8f65c1111a17
SHA1 21b5a969360c92de6228faa67ae72741d2074f5e
SHA256 f049ed6ac93a0eb7a714317f3cff52bb303eb1171a92525a479d9672ebc2c376
SHA512 a22dc28323ebce6f7e6512ef30a89cf6c3ddd0895645895e6667c0cc6143b9893209fe592002e2fb65ea67aaa3ec3eceb2217b9b8491a59b1a1c2705eacef3e8

C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IScript8.dll

MD5 ffeba6524ba6b2737e765e1f07e64184
SHA1 e2ed713b8eadfdf64e2be7040c35caa1694456a0
SHA256 cdba886320dc16ad24607db02ac0303382c01d8ce77dd6de4d55dfaa9ffec99d
SHA512 da50948f74d99d84ad930e16b0b2956208b6fdc3c729da59f9bf99c3c9a56e1c7b78f1f281ad9a36eb8756e4a61e21a3692f271b40085d500135abfac1a86cea

memory/4592-207-0x00000000029F0000-0x0000000002A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E8771745-B470-4EB7-AF2C-D57A8CF60388}\IsConfig.INI

MD5 a485e07231ca2cb2e240d3af534b0e2c
SHA1 bf9b6b07b9ce2b2605227bed41fce300572d9875
SHA256 df8c83d3867881f77e84bc2e80bff1bb82a16caa012286c2e348973f90bcc322
SHA512 e12d6c0cef7c8a084b7e5292b71136980582f8f108d2bce1ec44232120cf4fadb24fd5e60e8be246c8ec635ce1ca0bbaefa55a38e709892f2f54a651bbd30026

C:\Program Files\Autodesk\SketchBook\SketchBook.exe

MD5 dd68a58fbc1edef3b255b27078a80c7b
SHA1 9ce4fc6f0adaa2e0e7f9485963d51abb4347d42e
SHA256 53049516a1cc874755af18e8a5a39a0f7e9a12c23385072861fd071c1d66ac60
SHA512 513dda8dabbac14a8b3be6afda3889621ac508595f5530b59e4b72549d0e9096bf414587fa8e207e4e6c8777122fda674ac42720b0610c785b695f9cf92f8a48

C:\Config.Msi\e57b898.rbs

MD5 1568b8ac00d4ab114fb5aba005ee31c1
SHA1 a4946aab930d8b8593486825fd823fc585c88ff4
SHA256 6976038657c80bbb87d26f4727b63e0ded5270f5865bf055257ec52c0e2e5faf
SHA512 0ab85029a8516aacc9aa35c95db1a1c52c6fac9c945475855b76127de955d7a6a3cee4b9e909b0e668c17ad274862602386e828d8e7fc883aede80551032c73a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-18.1211.1748.1.odl

MD5 1f73baf653b26da53744961246b729f4
SHA1 a1dd80b145ba0b994491f3b46e3ca4578d1b6db5
SHA256 47ddcbbd26387b9dc86429ec8bae3a29b781ed3a79674ea22fc2ce1f223e4f27
SHA512 705134494dc6e04e991915febfdc5ef01ec0bfd5ac2943385b123538c6f2a24256d993b2455e8314e59e57e9ccd67314d66779a4cfd7c70129b2c3c44d8b4316

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c705388d79c00418e5c1751159353e3
SHA1 aaeafebce5483626ef82813d286511c1f353f861
SHA256 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512 c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bfd5191d8663d5f3cf7c069063b4cba2
SHA1 debbda9e1d967e032615e8bb566d73b9bfff4f48
SHA256 06285d680dea9fac7e1f16ecd7a4fd2a9cc1e65a30b6fa633b010086dbe2d923
SHA512 0759e0731b10abfa915ba6ff7cbc3d543b39f5092e30007649154f87c5afbdc0bb559a84a034b89647059af9d5e85c6ce8f22a79970c12f29ca211a9e158cf58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d84d1490aa9f725b68407eab8f0030e
SHA1 83964574467b7422e160af34ef024d1821d6d1c3
SHA256 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512 f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

\??\pipe\LOCAL\crashpad_4672_AXBGJCMBLDKBGJFT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Windows\Temp\SDIAG_5b5cc82f-f125-4a38-ba65-4b036b70aefe\en-US\DiagPackage.dll.mui

MD5 44b3399345bc836153df1024fa0a81e1
SHA1 ce979bfdc914c284a9a15c4d0f9f18db4d984cdd
SHA256 502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d
SHA512 a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

C:\Windows\Temp\SDIAG_5b5cc82f-f125-4a38-ba65-4b036b70aefe\DiagPackage.dll

MD5 ec287e627bf07521b8b443e5d7836c92
SHA1 02595dde2bd98326d8608ee3ddabc481ddc39c3d
SHA256 35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694
SHA512 8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lju1qltr.3qj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/6668-1308-0x0000019B59A00000-0x0000019B59A22000-memory.dmp

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061812.000\NetworkDiagnostics.debugreport.xml

MD5 a3d0763f98010f815d07ad26f961e8e5
SHA1 a9bbefe34ab3be09bfccd14a197ebebb0a74b762
SHA256 d0430e282e7ad303add8ab92c995dff61b9da42a63c90a46b8aaaf03945107ba
SHA512 a92e6d5168ccf18b3a90d09396a8cf11d4dba05c9e91739672ea48eef22c331bde540ed2185360e9812494dc6353b9ab5b74605b39c012cd7a32f98a995b3d36

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061812.000\results.xsl

MD5 90df783c6d95859f3a420cb6af1bafe1
SHA1 3fe1e63ca5efc0822fc3a4ae862557238aa22f78
SHA256 06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093
SHA512 e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 066e41dfd05ecc304aa8eb36d93f9c71
SHA1 5e72cba0c313fcb78f4b80bf42668797f4509108
SHA256 713872cc4c0fca1bdb1b7a8c5a924923e87d4963ba0646b4cd245c17b3ea1fa9
SHA512 eba1e67ca5bc2484b2fcfe09bd034cbcf44a7ade458d5b5010cae922e8c58e0959eef9e51616001d1746bd27db31eb2963f3cc77e8460e777c9dbfe2fe3f69ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7da5145e757e904896d19dfde3dd6fa1
SHA1 13faebb5064090575a27919a162ecea3ac36581d
SHA256 6d8423051c4911a658a673b6c7973ec9d8956e7cc49cdbc717b381524bc26372
SHA512 1e50f1d003dbc4c9b2218b025b46644c5fc24751792d94231f1d97499129a6ca41dd593b322a9ccb3147eff61908ec3443c14e5bbb8af612c88a40fc033a67b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58