Malware Analysis Report

2025-08-10 14:27

Sample ID 240915-l3teeaxhld
Target SampCheat.zip
SHA256 b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085
Tags
discovery execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085

Threat Level: Known bad

The file SampCheat.zip was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence

Modifies WinLogon for persistence

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-15 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-15 10:03

Reported

2024-09-15 10:05

Platform

win11-20240802-en

Max time kernel

62s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SampCheat.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MsAgentBrowserdhcp\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Migration\\WTR\\sysmon.exe\", \"C:\\MsAgentBrowserdhcp\\cmd.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\winlogon.exe\", \"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MsAgentBrowserdhcp\\unsecapp.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MsAgentBrowserdhcp\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MsAgentBrowserdhcp\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Migration\\WTR\\sysmon.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MsAgentBrowserdhcp\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Migration\\WTR\\sysmon.exe\", \"C:\\MsAgentBrowserdhcp\\cmd.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MsAgentBrowserdhcp\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Migration\\WTR\\sysmon.exe\", \"C:\\MsAgentBrowserdhcp\\cmd.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\winlogon.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\SampCheat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MsAgentBrowserdhcp\\cmd.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\winlogon.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\MsAgentBrowserdhcp\\unsecapp.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\MsAgentBrowserdhcp\\unsecapp.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Migration\\WTR\\sysmon.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\winlogon.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Migration\\WTR\\sysmon.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MsAgentBrowserdhcp\\cmd.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCF1372D2D3D274506BFF1AE81EA0E6C4.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\bwlbci.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WaaS\tasks\dllhost.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
File created C:\Windows\Migration\WTR\sysmon.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
File created C:\Windows\Migration\WTR\121e5b5079f7c0 C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SampCheat.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\SampCheat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MsAgentBrowserdhcp\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 128 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 128 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 128 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1700 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1700 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe C:\Windows\SysWOW64\WScript.exe
PID 128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe C:\Windows\SysWOW64\WScript.exe
PID 128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe C:\Windows\SysWOW64\WScript.exe
PID 3484 wrote to memory of 1712 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3484 wrote to memory of 1712 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3484 wrote to memory of 1712 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1712 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\SysWOW64\WScript.exe
PID 1712 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\SysWOW64\WScript.exe
PID 1712 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 1428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 1428 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 4428 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 4980 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 332 wrote to memory of 4572 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 332 wrote to memory of 4572 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4572 wrote to memory of 3536 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4572 wrote to memory of 3536 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 332 wrote to memory of 804 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 804 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2400 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2400 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1188 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1188 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1028 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1028 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 868 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 868 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1072 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1072 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 128 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\cmd.exe
PID 332 wrote to memory of 128 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\cmd.exe
PID 128 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 128 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 128 wrote to memory of 3164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 128 wrote to memory of 3164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 128 wrote to memory of 1408 N/A C:\Windows\System32\cmd.exe C:\MsAgentBrowserdhcp\cmd.exe
PID 128 wrote to memory of 1408 N/A C:\Windows\System32\cmd.exe C:\MsAgentBrowserdhcp\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SampCheat.exe

"C:\Users\Admin\AppData\Local\Temp\SampCheat.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "

C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "

C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\MsAgentBrowserdhcp\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\MsAgentBrowserdhcp\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i0i0ghux\i0i0ghux.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF73.tmp" "c:\Windows\System32\CSCF1372D2D3D274506BFF1AE81EA0E6C4.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MsAgentBrowserdhcp\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MsAgentBrowserdhcp\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 12 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 6 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9QL2sExq3z.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\MsAgentBrowserdhcp\cmd.exe

"C:\MsAgentBrowserdhcp\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp

Files

memory/1700-0-0x0000000002A40000-0x0000000002A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe

MD5 885383199b4458661a083d690adec52f
SHA1 7f3a0cdbf4f14e71fe0061f35c121ce087918a99
SHA256 7e1fbcc206aed09ff42684b9dcdac876e2a1f7c068463430b1bfb21564af1252
SHA512 dbe796e5c8caf1de33ddfc499c86f3a2d289ab6f1e1f89ecabef7403c70e2ea18da72897184988f12024e01e159276dc6f70b09266102bb542517d08bf41d31b

C:\ProgramData\Synaptics\Synaptics.exe

MD5 73d7e637cd16f1f807930fa6442436df
SHA1 26c13b2c29065485ce1858d85d9dc792c06ed052
SHA256 cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
SHA512 f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922

memory/1700-106-0x0000000000400000-0x0000000000AAC000-memory.dmp

C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe

MD5 e6aa5a9a61e5a14929496cc623751fcb
SHA1 e5e193008aaf6155d8959d1f237297e134c8c69f
SHA256 4518eab1e079194970bee0b64f0dc5151e2208a48a94672e9a98fbe046e6a7d9
SHA512 45a4385a57d928587194313bd04ea42714619e2a3f35f8c7af0d930507f1e717dfd9c4d00c36514a826fb2e5090ed7e9b8a76f099798d2c468910c40e1d7cd0e

C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat

MD5 f0817915454c14a131a03bb1e970a3d9
SHA1 40bba77a1b68a36053d1cfce4a8820eeef1108df
SHA256 9983f72ca78bee90d64610d7bd9bce46c075674f22307494ad40982ff760978d
SHA512 00a97f09edc0824207fe5bf10e6d7ab903740bfb507db085b912e58a62f8ec814f05940bcb263163bec71e71def1ff9868fedd7b0348b4146a70198a00606c66

C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

MD5 d5eb73597ed0a278e1a993ee15c5cdb1
SHA1 c0a88c5eb727b7e4eb38dd90e95cbb1c37de0341
SHA256 b6b9517b7429afea6d33ae62a1cff9ce8290b160f9f5544b1d9dd3ab0f620404
SHA512 538de4b61b35c7acead9e8c26bdf1a47e024e7dd78402b4dbeb5fe6afe6ec7c323f2700f12c6ed441c51b61b4b3884967df67db6ba4ac682fc32c616dca2c932

memory/332-147-0x0000000000B10000-0x0000000000CEA000-memory.dmp

memory/332-150-0x0000000002E20000-0x0000000002E2E000-memory.dmp

memory/332-152-0x000000001C570000-0x000000001C58C000-memory.dmp

memory/332-153-0x000000001C5E0000-0x000000001C630000-memory.dmp

memory/332-157-0x0000000002E30000-0x0000000002E3C000-memory.dmp

memory/332-155-0x000000001C590000-0x000000001C5A8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\i0i0ghux\i0i0ghux.cmdline

MD5 f8d24ad68e70d9a334ad3682a7e3c30a
SHA1 3c77125fd58ed2380e42508c5f0cd89949f0bb1b
SHA256 580394891b1b7920738b617066a846c99b429c21b3a406274d59c69a4f530a33
SHA512 76fc50fbf33b8c8ff015c3802057c66f93f9d3cb6cdff88baddb5f869a549bc888e91e0c612cedb24c233615422406656980970f0898961a55e950df137f7c89

\??\c:\Users\Admin\AppData\Local\Temp\i0i0ghux\i0i0ghux.0.cs

MD5 7d13d7c984f85a979cc720fa6c411683
SHA1 7a097b342d229fd5c1267b7134247b9a21284194
SHA256 d43c300665b349b73ea420b2a1de2a24f5725e59bf0d4b3388b4e2a7bfc4ddf8
SHA512 793e2af0e61a00312ad9d188520ff5f14d1987ff871e240bfee105fc90e1f4c9146b80eabb44efe7915b36cc9b6a80b666b78679eaf6becc296971fd65f55f6a

C:\Users\Admin\AppData\Local\Temp\RESDF73.tmp

MD5 8429ac1723fa37c0e3a6b27ec42f38e6
SHA1 2715ef89c7d3aeb34d09a710660297f19e685abc
SHA256 fdb3aff64edd8cc41e1c62a4b044e9371929dd3705b73c4e2174c4d7c313ee00
SHA512 880669f71325b5e924a0a020d45e1e904a0902dc10bcac8f516944b1b0864ad5d0eb44d9d4474b320323642447f52221b8a5e3780d9a06dab7569c8c8a83eb3a

\??\c:\Windows\System32\CSCF1372D2D3D274506BFF1AE81EA0E6C4.TMP

MD5 ee487a60b6cd669c30e16a17786e158a
SHA1 41f8ddc5f460942a89e49db2a618561104e25fb1
SHA256 d9ea17657a2ac2e2f8ca0d7b5a0df0e4d88cb81081a8fcccfbc32055370de183
SHA512 a8b41e42d249bed969e1944ff02a18d2ba0a397d6c2518cf84181939509960ee4a9879cc94956c847b46257f2c8eb3d148d61d91d4a647e40b60d084be5bbf78

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjx0enrr.idi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/868-201-0x00000209D6730000-0x00000209D6752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9QL2sExq3z.bat

MD5 7c5ba7cd03c5ea61d36ab02ee1323e0d
SHA1 7efe8e1f0fdc1da9d61328b33cbaebc99b3dc5e7
SHA256 d9dba262260c243be627aa08f0eaccd036a2915978de531f13606cf3f2ef4a76
SHA512 36109a5ae01163e7c25e04b0d8b834c2bc2503975a5584145ec2b36785316ccecb0468999ab4c233b5d7bf97681de17e9bf6e8c4f0032f41da191215a0b52760

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05b3cd21c1ec02f04caba773186ee8d0
SHA1 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512 e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6903d57eed54e89b68ebb957928d1b99
SHA1 fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA256 36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512 c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45f53352160cf0903c729c35c8edfdce
SHA1 b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA256 9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512 e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

memory/1060-253-0x00007FF93DC30000-0x00007FF93DC40000-memory.dmp

memory/1060-252-0x00007FF93DC30000-0x00007FF93DC40000-memory.dmp

memory/1060-251-0x00007FF93DC30000-0x00007FF93DC40000-memory.dmp

memory/1060-250-0x00007FF93DC30000-0x00007FF93DC40000-memory.dmp

memory/1060-249-0x00007FF93DC30000-0x00007FF93DC40000-memory.dmp

memory/1060-254-0x00007FF93B6C0000-0x00007FF93B6D0000-memory.dmp

memory/1060-255-0x00007FF93B6C0000-0x00007FF93B6D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aXtdtri9.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\68E75E00

MD5 ecbc5690692afa974626d1bbbca5953e
SHA1 46a6bcc36ded71bc5f0826774548fb1d0bb420a5
SHA256 8a5233f085d5796bfbc2846eb3e3ec797ca7c22ea3b6fa1d9ba8ba674988cfa6
SHA512 53fabc90184acb8afc60fd2c226a8e8e0a6b861449d0b0ecf1a30aa45cbe58a4f4996c30b3d9247a7415fceef4f143dabe3af1eaa3aa5f63b7043574e4f369e4

memory/3484-297-0x0000000000400000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bridgesurrogate.exe.log

MD5 1126a1de0a15000f1687b171641ffea6
SHA1 dcc99b2446d05b8f0f970e3e9105198a20ca9e78
SHA256 b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7
SHA512 6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

memory/3484-306-0x0000000000400000-0x0000000000AAC000-memory.dmp