Malware Analysis Report

2024-11-30 03:43

Sample ID 221114-xavybach56
Target WindowsBootManager.exe
SHA256 3a3e3f8bb3ea348375c6afad7f6f28a90040c178ac29b378b60e6798cbf8c3ac
Tags
ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a3e3f8bb3ea348375c6afad7f6f28a90040c178ac29b378b60e6798cbf8c3ac

Threat Level: Known bad

The file WindowsBootManager.exe was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-14 18:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-14 18:39

Reported

2022-11-14 18:42

Platform

win7-20220812-en

Max time kernel

151s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1172 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1172 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1172 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe"

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WindowsBootManager" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1228 --field-trial-handle=1256,i,2029857542095144012,12835848492193415419,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 rentry.co udp
N/A 107.189.8.5:443 rentry.co tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 canary.discord.com udp
N/A 162.159.137.232:443 canary.discord.com tcp
N/A 162.159.137.232:443 canary.discord.com tcp

Files

memory/1172-54-0x0000000075571000-0x0000000075573000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso1077.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso1077.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

\Users\Admin\AppData\Local\Temp\nso1077.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

memory/1956-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\v8_context_snapshot.bin

MD5 dd0d4997dfab65b96aad66d035f6029c
SHA1 65faa1dbb7ccd902f1f1af544f6941234ff679d3
SHA256 f033fb86fa92df1be464de590aa312cc016bc5d6bea26672c896bf4d3f1261cd
SHA512 86b06bd0f91f50bd13b3af179f3f498f10a225d25ba5ca32258f75567e601c3f48f7a3fb436c3b0d2ba53cc9eaaa8f74c95b44458628b0ea716563694a3c7002

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\icudtl.dat

MD5 d866d68e4a3eae8cdbfd5fc7a9967d20
SHA1 42a5033597e4be36ccfa16d19890049ba0e25a56
SHA256 c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d
SHA512 4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar

MD5 4b2f3c2a979721edaa7e8141cd9ed59b
SHA1 5a8441a0e7292cfacf776185c5bb0ff64c763005
SHA256 b46ffd5eaa28f8b42970d4b9ac5b5dfab5306e8393676fe6a29ed1e23ab36e80
SHA512 2cfd1000147c005ae0b8412682b78ee6b7220635bc491bab757e1db565060a27eff42c7a12b67585439d34424e41c274f494ae0dfa24a1ff5819ee3eb2bb98db

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\package.json

MD5 6dcf210526904a7678858cf77afe862b
SHA1 9f8724cad326edcf256106581e41831e5dbc186f
SHA256 10bac01de1f6cd92affed90c16888c0e81e557a6426f266862723196712c1779
SHA512 5114adbd62189df69dbbefd095ef3041719d4bcd6ea985dcd61477f4aed3a8ff43bc1b41eec9f5add4562610cf6d9b51b3b3ac773a59b2a36e70ab49796fe366

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\termux.js

MD5 42964227cd4d18db36d54abb31751ad3
SHA1 3194be24a98f6a8493eb1cf96081c592c5986320
SHA256 20177609ef84109cbd8e76f554d622ec14587297c1d2a98100a42cfb0f181535
SHA512 e523b1a1edad998294f7a3c4feb10bb8946bd8284f09457ac56dd721970c792d3dc8d58bdbf3dca8e24d8a109b13aac461019d6c47a5acbe0b2db013af2deaa7

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\windows.js

MD5 f912cda66cb6fc434824a5aa3ffcb717
SHA1 95a9e0e407db544a16745af494aaefe3e8693231
SHA256 a56136479ba0522e8138839c4453571bb28fa9e1ac009f103e251cc75e8066d6
SHA512 5466dfca3b5ce776cb34fec8ff48e82ac22ef759f2d62ac2462c184b5e629487e10a07d7fc1b7babee2abbda97f0250103b65c307acdd516ad5c713b70c19e5d

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\macos.js

MD5 4814022b2ae67df02bc84afd6e218ef3
SHA1 a4a6a3280110acd5f8c15f51fb98030a7d9e1f03
SHA256 e50f203ab3894301fd7e3ec2d2581739d5f39f395df34b754964927cfca6aeda
SHA512 415d98b8825d8b95c3c6931a0e42bacc3a7ab4b67fe2dd4f09b2319cf52fb516696229dc7c5ccdf5218ac4effe76b361dc455e1f58eea5a87b2a52704ea3a597

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\linux.js

MD5 56d77986c00c7c8bc6000f4068578295
SHA1 657e0769181d7d0f1c36036117763b41c342566d
SHA256 0b364961d2374291c79cf8556f065b7bc272f117fcef6b9b67aefa2b9d762109
SHA512 16f2b7c4fe77d38df07c0b05a72329d5c820b5d727390dc9780b2f9962a766d3cc65decea01a6d7caad32f6127bd280c55e38a07bccd5dba6307e6b8f8728777

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\index.js

MD5 76ddee29be6d109fb8bfd6c0f387ada6
SHA1 99d6f7e30c631c246e63f0bd48cf7faaf078a02b
SHA256 66880b0d3ec39ba64b224a34a5ef0352032ee95862e1f4e6b2951df85cbc9399
SHA512 555b1d9dbae2b39a0d06b1f8f2ca73ee5faee759deb6e76064047b82aa63e7ea16f69b18856660e9811110a2590696fb8f967182878dfce1e342c391e0d0541a

\Users\Admin\AppData\Local\Temp\d81c7d91-b851-443d-8e2e-2b563a5a1a01.tmp.node

MD5 5ecb9303024b5e5a960bc37e4be31773
SHA1 235705541c5d347a4e236af604d44e332c3976b4
SHA256 a90f84a584806ac02a3a405aa605eb6e98f9b7cee5f526ca47300e73eb1c0b0e
SHA512 094a8ab08d5112575543e3b44f7bfe4ac6a77e5ab7dc5de8b2ecb7d2f833100f3f00297c13591ab77e934457f7ae325048d21b001ba8717e621d1155e77dfa49

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\chrome_100_percent.pak

MD5 237ca1be894f5e09fd1ccb934229c33b
SHA1 f0dfcf6db1481315054efb690df282ffe53e9fa1
SHA256 f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2
SHA512 1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources.pak

MD5 a1e5aafe5a1509ef461d584c98484ff7
SHA1 455a36fff7a12989d0d1fc944a3c8840141d865a
SHA256 dd0cdd9201c5966dcc8b3ac3f587fdb05cad09547e267e0d16b8b1a3cff14772
SHA512 f98e33fe7e89a7798c6c274b4220c7c5262a2cedd0c0a04c7821634679f71145eca78c7a36a9f576712a00ffbabfabf58c958483d2d69fa9960178a7c3581946

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\locales\en-US.pak

MD5 5cc884bf0ec1c702240173b35a421d1b
SHA1 19bdfb0b31dc4a75e7c135d1a8ef76f5f6cc3a31
SHA256 9f0c75c84381360677055d6197812c7a6c42dbfc6134eb8212d8a60ed1ca1601
SHA512 48772f50f6b0d846084a0cfb0d6433f2fbf73677b557b022d0d73d04790636c0c40ed873c32fd037013e943fb7c24816efdcde38429520895c00c2d85a17ea5c

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\chrome_200_percent.pak

MD5 7059af03603f93898f66981feb737064
SHA1 668e41a728d2295a455e5e0f0a8d2fee1781c538
SHA256 04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6
SHA512 435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

\Users\Admin\AppData\Local\Temp\056c597f-bbf6-46fd-b794-3401f1d699a3.tmp.node

MD5 083fd9f2e3e93e1f2c599a2b609c9e5e
SHA1 6db2b6ce3e60d828ca32a6000c270c09224f3139
SHA256 5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA512 08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-14 18:39

Reported

2022-11-14 18:42

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4328 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 4328 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe
PID 3056 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsBootManager.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 476 -p 816 -ip 816

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 816 -s 2468

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WindowsBootManager" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1844,i,18293558240883120809,16641774971572418371,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\WindowsBootManager" --mojo-platform-channel-handle=2044 --field-trial-handle=1844,i,18293558240883120809,16641774971572418371,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WindowsBootManager" --app-path="C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2460 --field-trial-handle=1844,i,18293558240883120809,16641774971572418371,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

"C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\WindowsBootManager" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1008 --field-trial-handle=1844,i,18293558240883120809,16641774971572418371,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 2.18.109.224:443 tcp
N/A 8.8.8.8:53 rentry.co udp
N/A 107.189.8.5:443 rentry.co tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 ajax.googleapis.com udp
N/A 172.217.168.234:443 ajax.googleapis.com tcp
N/A 8.8.8.8:53 canary.discord.com udp
N/A 162.159.138.232:443 canary.discord.com tcp
N/A 162.159.138.232:443 canary.discord.com tcp
N/A 8.8.8.8:53 dns.google udp
N/A 8.8.4.4:443 dns.google tcp
N/A 8.8.4.4:443 dns.google tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsoC50B.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

memory/3056-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\icudtl.dat

MD5 d866d68e4a3eae8cdbfd5fc7a9967d20
SHA1 42a5033597e4be36ccfa16d19890049ba0e25a56
SHA256 c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d
SHA512 4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\v8_context_snapshot.bin

MD5 dd0d4997dfab65b96aad66d035f6029c
SHA1 65faa1dbb7ccd902f1f1af544f6941234ff679d3
SHA256 f033fb86fa92df1be464de590aa312cc016bc5d6bea26672c896bf4d3f1261cd
SHA512 86b06bd0f91f50bd13b3af179f3f498f10a225d25ba5ca32258f75567e601c3f48f7a3fb436c3b0d2ba53cc9eaaa8f74c95b44458628b0ea716563694a3c7002

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar

MD5 4b2f3c2a979721edaa7e8141cd9ed59b
SHA1 5a8441a0e7292cfacf776185c5bb0ff64c763005
SHA256 b46ffd5eaa28f8b42970d4b9ac5b5dfab5306e8393676fe6a29ed1e23ab36e80
SHA512 2cfd1000147c005ae0b8412682b78ee6b7220635bc491bab757e1db565060a27eff42c7a12b67585439d34424e41c274f494ae0dfa24a1ff5819ee3eb2bb98db

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\package.json

MD5 6dcf210526904a7678858cf77afe862b
SHA1 9f8724cad326edcf256106581e41831e5dbc186f
SHA256 10bac01de1f6cd92affed90c16888c0e81e557a6426f266862723196712c1779
SHA512 5114adbd62189df69dbbefd095ef3041719d4bcd6ea985dcd61477f4aed3a8ff43bc1b41eec9f5add4562610cf6d9b51b3b3ac773a59b2a36e70ab49796fe366

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\index.js

MD5 76ddee29be6d109fb8bfd6c0f387ada6
SHA1 99d6f7e30c631c246e63f0bd48cf7faaf078a02b
SHA256 66880b0d3ec39ba64b224a34a5ef0352032ee95862e1f4e6b2951df85cbc9399
SHA512 555b1d9dbae2b39a0d06b1f8f2ca73ee5faee759deb6e76064047b82aa63e7ea16f69b18856660e9811110a2590696fb8f967182878dfce1e342c391e0d0541a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\termux.js

MD5 42964227cd4d18db36d54abb31751ad3
SHA1 3194be24a98f6a8493eb1cf96081c592c5986320
SHA256 20177609ef84109cbd8e76f554d622ec14587297c1d2a98100a42cfb0f181535
SHA512 e523b1a1edad998294f7a3c4feb10bb8946bd8284f09457ac56dd721970c792d3dc8d58bdbf3dca8e24d8a109b13aac461019d6c47a5acbe0b2db013af2deaa7

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\windows.js

MD5 f912cda66cb6fc434824a5aa3ffcb717
SHA1 95a9e0e407db544a16745af494aaefe3e8693231
SHA256 a56136479ba0522e8138839c4453571bb28fa9e1ac009f103e251cc75e8066d6
SHA512 5466dfca3b5ce776cb34fec8ff48e82ac22ef759f2d62ac2462c184b5e629487e10a07d7fc1b7babee2abbda97f0250103b65c307acdd516ad5c713b70c19e5d

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\macos.js

MD5 4814022b2ae67df02bc84afd6e218ef3
SHA1 a4a6a3280110acd5f8c15f51fb98030a7d9e1f03
SHA256 e50f203ab3894301fd7e3ec2d2581739d5f39f395df34b754964927cfca6aeda
SHA512 415d98b8825d8b95c3c6931a0e42bacc3a7ab4b67fe2dd4f09b2319cf52fb516696229dc7c5ccdf5218ac4effe76b361dc455e1f58eea5a87b2a52704ea3a597

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources\app.asar.unpacked\node_modules\clipboardy\lib\linux.js

MD5 56d77986c00c7c8bc6000f4068578295
SHA1 657e0769181d7d0f1c36036117763b41c342566d
SHA256 0b364961d2374291c79cf8556f065b7bc272f117fcef6b9b67aefa2b9d762109
SHA512 16f2b7c4fe77d38df07c0b05a72329d5c820b5d727390dc9780b2f9962a766d3cc65decea01a6d7caad32f6127bd280c55e38a07bccd5dba6307e6b8f8728777

C:\Users\Admin\AppData\Local\Temp\0fbdf762-6ad5-49ee-830b-975274d62031.tmp.node

MD5 5ecb9303024b5e5a960bc37e4be31773
SHA1 235705541c5d347a4e236af604d44e332c3976b4
SHA256 a90f84a584806ac02a3a405aa605eb6e98f9b7cee5f526ca47300e73eb1c0b0e
SHA512 094a8ab08d5112575543e3b44f7bfe4ac6a77e5ab7dc5de8b2ecb7d2f833100f3f00297c13591ab77e934457f7ae325048d21b001ba8717e621d1155e77dfa49

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\resources.pak

MD5 a1e5aafe5a1509ef461d584c98484ff7
SHA1 455a36fff7a12989d0d1fc944a3c8840141d865a
SHA256 dd0cdd9201c5966dcc8b3ac3f587fdb05cad09547e267e0d16b8b1a3cff14772
SHA512 f98e33fe7e89a7798c6c274b4220c7c5262a2cedd0c0a04c7821634679f71145eca78c7a36a9f576712a00ffbabfabf58c958483d2d69fa9960178a7c3581946

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\locales\en-US.pak

MD5 5cc884bf0ec1c702240173b35a421d1b
SHA1 19bdfb0b31dc4a75e7c135d1a8ef76f5f6cc3a31
SHA256 9f0c75c84381360677055d6197812c7a6c42dbfc6134eb8212d8a60ed1ca1601
SHA512 48772f50f6b0d846084a0cfb0d6433f2fbf73677b557b022d0d73d04790636c0c40ed873c32fd037013e943fb7c24816efdcde38429520895c00c2d85a17ea5c

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\chrome_200_percent.pak

MD5 7059af03603f93898f66981feb737064
SHA1 668e41a728d2295a455e5e0f0a8d2fee1781c538
SHA256 04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6
SHA512 435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

memory/932-155-0x0000000000000000-mapping.dmp

memory/920-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\chrome_100_percent.pak

MD5 237ca1be894f5e09fd1ccb934229c33b
SHA1 f0dfcf6db1481315054efb690df282ffe53e9fa1
SHA256 f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2
SHA512 1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

memory/1380-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\vk_swiftshader.dll

MD5 6b40ce4af617399536d0ea6edc84baad
SHA1 55c91309fe49af121dd3de9c24f60b8cfea680f1
SHA256 c64b87d7cebdaee8b779859059a6c63fb47c8102a4f7311d678895f87b825c59
SHA512 9c4caddb2f6ba7d17683d662a1d9ecd2efcdf1fc081e0127260f0266eda78b42c684bcad5bccbdc03a06619b9ae4960ccea67472d7650c53e67a5a70be6e36c6

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\vk_swiftshader.dll

MD5 6b40ce4af617399536d0ea6edc84baad
SHA1 55c91309fe49af121dd3de9c24f60b8cfea680f1
SHA256 c64b87d7cebdaee8b779859059a6c63fb47c8102a4f7311d678895f87b825c59
SHA512 9c4caddb2f6ba7d17683d662a1d9ecd2efcdf1fc081e0127260f0266eda78b42c684bcad5bccbdc03a06619b9ae4960ccea67472d7650c53e67a5a70be6e36c6

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\vulkan-1.dll

MD5 4783d34314ef4feb241f4fdf36499521
SHA1 89296d6ac36cd005045db7307bf31005d0cf29a7
SHA256 6e8beb4e9da77313f40e75c4ffaeeaa522b6f054fd792631ec1efcf8248ca63b
SHA512 7ef1b0e89590b4af20f182bed9d82d5175d1c8c675fc3d05dc0eb2f834052124c877135fc68b2988683cf35e8b25870e45f7c126349d28125c021c8eeb4998ac

C:\Users\Admin\AppData\Local\Temp\edd91671-cecd-49ad-aacf-cf4b604ddf58.tmp.node

MD5 083fd9f2e3e93e1f2c599a2b609c9e5e
SHA1 6db2b6ce3e60d828ca32a6000c270c09224f3139
SHA256 5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA512 08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\vulkan-1.dll

MD5 4783d34314ef4feb241f4fdf36499521
SHA1 89296d6ac36cd005045db7307bf31005d0cf29a7
SHA256 6e8beb4e9da77313f40e75c4ffaeeaa522b6f054fd792631ec1efcf8248ca63b
SHA512 7ef1b0e89590b4af20f182bed9d82d5175d1c8c675fc3d05dc0eb2f834052124c877135fc68b2988683cf35e8b25870e45f7c126349d28125c021c8eeb4998ac

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\libEGL.dll

MD5 91f11a9181583f75e2b29fcd9050c7f5
SHA1 fd90abc3048f3347435dfbd1075b8051ac6ffabc
SHA256 43a549ff51ce4ee20074999527b19fbf280a8caa7db0bde957704033b6f5b330
SHA512 925ac2a87e436219e22a924f615669cb166e8183d6e4dd0f00ed68c16faa3ffa10ab410106a7f81320f10205415bff9d10976f1dc0bb695b9293b80101e4ce8a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\libegl.dll

MD5 91f11a9181583f75e2b29fcd9050c7f5
SHA1 fd90abc3048f3347435dfbd1075b8051ac6ffabc
SHA256 43a549ff51ce4ee20074999527b19fbf280a8caa7db0bde957704033b6f5b330
SHA512 925ac2a87e436219e22a924f615669cb166e8183d6e4dd0f00ed68c16faa3ffa10ab410106a7f81320f10205415bff9d10976f1dc0bb695b9293b80101e4ce8a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\libGLESv2.dll

MD5 16deb84c2dd1d55ed938a112b6ce92d4
SHA1 15ed353f418030e2a3d94c2c77d45605ea9cb3c2
SHA256 b49922f98946952e96c03c468a4812e0b1e7a090f4e1f96489f48acc07eba1f8
SHA512 bb9ea90e01ac7e633d3e27054206c6070b352cce196b7b70b989af2b718dec3506d3aaf62e3074fdc93e7e23839ed15ccb8a508305170e7ba38920ca21f4047b

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\libglesv2.dll

MD5 16deb84c2dd1d55ed938a112b6ce92d4
SHA1 15ed353f418030e2a3d94c2c77d45605ea9cb3c2
SHA256 b49922f98946952e96c03c468a4812e0b1e7a090f4e1f96489f48acc07eba1f8
SHA512 bb9ea90e01ac7e633d3e27054206c6070b352cce196b7b70b989af2b718dec3506d3aaf62e3074fdc93e7e23839ed15ccb8a508305170e7ba38920ca21f4047b

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\D3DCompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

memory/4984-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\WindowsBootManager.exe

MD5 6d582ad6377f23e6ded3fbe114cdebef
SHA1 255a6e30eee82dd5f3084a2cfcd636f9f2571114
SHA256 f1d66f5ad4a4a3429e962adc3d6d037f71d4ae1772e86253987e7aaa5652fdb4
SHA512 8544c5847b06b143f736f5337b3f49eb2e0bf04c0bfebaba727f5954e73715c07a914c901f6a72dfc995abf654615856797743c21a6bb68339584a727a4ae5e4

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\ffmpeg.dll

MD5 21647425561f9dfa567139d2c505f585
SHA1 efd5b3d6a21886c6467d28c73d20be0acb4591e9
SHA256 b827172262cea032be8303aae69a947a8d867006269bb8b2bc7e77619333c1b6
SHA512 c5316a6b2d77cf2c2949698f9cba92fe1ec57b2ac82d55fbbeffe71b4834ec06e83728a176f5089c91cc9544deda0667f39338f1e9d1a37db69bd8bad4af915a

C:\Users\Admin\AppData\Local\Temp\2HPWf7V2dTN3ckCF9QW3Kn20T9O\vk_swiftshader.dll

MD5 6b40ce4af617399536d0ea6edc84baad
SHA1 55c91309fe49af121dd3de9c24f60b8cfea680f1
SHA256 c64b87d7cebdaee8b779859059a6c63fb47c8102a4f7311d678895f87b825c59
SHA512 9c4caddb2f6ba7d17683d662a1d9ecd2efcdf1fc081e0127260f0266eda78b42c684bcad5bccbdc03a06619b9ae4960ccea67472d7650c53e67a5a70be6e36c6