Malware Analysis Report

2024-10-18 22:30

Sample ID 240922-xt4dsstgml
Target Ultimate Tweaks.exe
SHA256 30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966
Tags
discovery execution zloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Threat Level: Known bad

The file Ultimate Tweaks.exe was found to be: Known bad.

Malicious Activity Summary

discovery execution zloader

Zloader family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-22 19:10

Signatures

Zloader family

zloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

125s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81CF61E1-7916-11EF-B699-EE9D5ADBD8E3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f015a056230ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000586b660924ca2639e75a5a591ec09028a602173aa3c277d627fd363be39c1e4c000000000e80000000020000200000002369968cab05c330848c9ae18605685c8d2e873930b54cbaddb68aaa5ee6ef0220000000a432a8c2ff70a012a6e8c7088417e39bbd4ccb7d56535fb4e5f3012211b3aa38400000005c2d93732043739bdb7b7f2a3d065e2fbddbbdedb4bd7f32176263cea878138c855459f928a55783d8c21bf05cd093e4dd9a49d4086e5e30acd0961624bc7bff C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433194230" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000072b9099c860b6b7864b8c9eb4efa749f180595d124c5bf01b847a6b600b2138e000000000e80000000020000200000001401e4f0dc08e9bc0412588b28ba41c285014884a87c8c982802126842df785190000000661183a130401e2ca20c141e8970f628046dd2ed645052a1e0d28f962802e1303111138fc1a9ad2bac4840974f6af0cb032b69305ecdbeead342c525f5472a6c1947d7ce3ed4fad889e88d8267c0fc79b10d74497b60b89b507e3c8b5e3136aa503199f0ffee2e2d1acb9df4c1d1f3c46ffe0eacc963eb5d644eda599a98e60a015dfd115edc94d0edb3cbf54201d95e400000009f76834c89684aa7819c2161bcc5e152f7e46d4c477fb3f2b8f58f3a02e2dc31860e471ddbe380f50a75786faea4c75888d4b0ce01d356cd55f074f7bebaa28c C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabEE67.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEEC8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54e080048b6de050b1b106856c9d81ad
SHA1 ecaada0096085a81d558ce91d72442e2b5438b39
SHA256 f884c4670e9695dd1cbb89f9f80a3ed9c4bb6d4734a423e45c809b895757ff75
SHA512 d67f69d48e0728453756798c2ebb63994e8c02e61ea9378b9c4125fe4e6499ef0e57616e41f4b620d792088183adfcbfbf3503a86ce7cbd23d5983e4fd961a0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c14136cd0230af35f2f58f2ee7881e8
SHA1 ed8d9ef9f5e3aef2b72aab25e3a42ef1617bbc1e
SHA256 486887c21f49e6acb691aae27bf8083e270307a2557f2f92bfed9829a494cc33
SHA512 6509622beb167ad2bfb1b33700af1c03a6a37cc8331fed89c291214ae9e0472d2fa1312b7e759de532cadf42308faead82a98916016ca240e758d9f556e23515

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6c133d3a5b8e8c5cb3a7788f613730c
SHA1 c0b5001adb7495b95c2380026c5dc4e930e529ce
SHA256 308178a90f2e2ff1003d3bc5ddbb2cedfd641c9e8de38925f0cb2b92c207fab8
SHA512 548ac25e319d7db831627a17561fcd2b4167feccc0ee549903be08c8f9846136d16d07df3c4b583237d4fc02d020df6faa48a302248a7a533803180ee8733475

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

112s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 220

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240708-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe"

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\chrome_200_percent.pak

MD5 e02160c24b8077b36ff06dc05a9df057
SHA1 fc722e071ce9caf52ad9a463c90fc2319aa6c790
SHA256 4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106
SHA512 1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\chrome_100_percent.pak

MD5 b1bccf31fa5710207026d373edd96161
SHA1 ae7bb0c083aea838df1d78d61b54fb76c9a1182e
SHA256 49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3
SHA512 134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\ffmpeg.dll

MD5 bf09deeeb497aeddaf6194e695776b8b
SHA1 e7d8719d6d0664b8746581b88eb03a486f588844
SHA256 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080
SHA512 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\libEGL.dll

MD5 3a5cbf0ce848ec30a2f8fe1760564515
SHA1 31bf9312cd1beaedaa91766e5cde13406d6ea219
SHA256 afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219
SHA512 bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\libGLESv2.dll

MD5 c783045e4b7f00c847678d43a77367f7
SHA1 7f9192ce0b23ac93561aeec9d9c38daa3136c146
SHA256 3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8
SHA512 64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\snapshot_blob.bin

MD5 cadef56f5fb216b1fbf7ada1f894ea6d
SHA1 373d2a4266be5c8fbf61d4363ec47ddeb2d79253
SHA256 0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12
SHA512 9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\resources.pak

MD5 67bb5e75ceb8ced4c98cf0454933cb45
SHA1 c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd
SHA256 5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff
SHA512 fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\LICENSES.chromium.html

MD5 bd0ced1bc275f592b03bafac4b301a93
SHA1 68776b7d9139588c71fbc51fe15243c9835acb67
SHA256 ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b
SHA512 5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\vulkan-1.dll

MD5 a6588e66186ccf486eede8e9223f0d41
SHA1 777a5c4028c7675ee1fc4e265a825b35d5099577
SHA256 419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6
SHA512 ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\vk_swiftshader.dll

MD5 0a071201e4dd76996e273c81533bfa74
SHA1 5c92c634027692c344a8e74eab8b4d5c3e049497
SHA256 08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee
SHA512 b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ar.pak

MD5 7608398c66cd0b55396f7250b3c8747c
SHA1 7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13
SHA256 3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a
SHA512 5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\cs.pak

MD5 926b4d7f540ce0b1912e5fb6383dabb7
SHA1 a7adbc83ef38092a90d964d61359a6caa1253090
SHA256 2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38
SHA512 bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\es.pak

MD5 f6f452e9fe45b56b489b2e99c99848d7
SHA1 c64384626ea966d3a24dfd4d6c2f42c1cc082d2f
SHA256 54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605
SHA512 f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\hr.pak

MD5 2f7462a076c14f2c2733a41dcc5ecf1b
SHA1 c453dbf62d1cfe85adb64ae374b6a79cff2ef97f
SHA256 6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00
SHA512 f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\lt.pak

MD5 93a0a8181e8c251a2375645a552293d6
SHA1 57faf2e9f965a49d5294cf9759b9b50d87c2ad1d
SHA256 f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450
SHA512 51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\pt-BR.pak

MD5 f18cae95b8bb6760d370b435235c5629
SHA1 eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8
SHA256 952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b
SHA512 218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\te.pak

MD5 1f20952c1a61fa6e42a7f055de8986ea
SHA1 301ec89ca80695865d884927c4c07c6777fb321e
SHA256 caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7
SHA512 c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\resources\app-update.yml

MD5 b0e31c54422860c9390a2e456d8f4624
SHA1 1b73cc7e00cbcae94a3ed921fbd055a393dedc0c
SHA256 897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf
SHA512 561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\resources\app.asar

MD5 8bcbb3a116b0035d6a5621f6ce6d4ba9
SHA1 0f974db0d87af4aff602a410e7f09e6821f30ce7
SHA256 f975415a103c1faa4c7aac4f31868c0e408a24615bcac355e3f7640046df995c
SHA512 463fbc355f8fb4268417acc0e82d7774894fb076fdce5f6e3b59a7353f8af369e4215cc3722b34cb1936ca849173912d05e2cfb01a3146b1467239dd2a424c8c

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\zh-TW.pak

MD5 337bba163068f2dd7ff107ea929c8473
SHA1 536ec5756f229696dd6f875180778afcee1966fb
SHA256 58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574
SHA512 000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\zh-CN.pak

MD5 156894db535f0fbe193d66c0afb4b112
SHA1 e347caa3c41ea7461c217c029dbca54567fbe27c
SHA256 cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0
SHA512 e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\vi.pak

MD5 593d33203c539d027c5b5bcc13bb38c9
SHA1 2f6288bc43ddf31e49a733af97e3e9e2fb8a2940
SHA256 d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42
SHA512 7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ur.pak

MD5 305d39b5de5a1935d786da4bfc736dc5
SHA1 8dd952fea4dae937b9f87d229638cd22ca197a8c
SHA256 b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8
SHA512 d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\uk.pak

MD5 7f8d31b43f7319164bc0f6453bbaf007
SHA1 4be254da0ccb13040489403cc2d8015f448292da
SHA256 e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108
SHA512 9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\tr.pak

MD5 4727af70df9094888ba46f3a62eff264
SHA1 d2ead301efab607d040c69c238a06d3b4d080717
SHA256 026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658
SHA512 5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac

\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\th.pak

MD5 7512a162ea0b65dd9477ac8c190136b9
SHA1 ae5fbce9516882a0d58da9ebee3c767c7ba4c305
SHA256 d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4
SHA512 425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ta.pak

MD5 474a2016df48f886e91fb9fd331d9bf9
SHA1 2548525143292d7d150f5014b44ef294ba7c4189
SHA256 75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2
SHA512 a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\sw.pak

MD5 e2958cf2ab6cc74551c8360e6cc34333
SHA1 806aa1129f228ee48744cfa55d061149b37522b0
SHA256 51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a
SHA512 1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\sv.pak

MD5 eb39645ebed4f980ab12585feae2f4b5
SHA1 fc7c471b93f59bef13f7bb4669e683385a8b9dec
SHA256 ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7
SHA512 5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\sr.pak

MD5 02bdb4d99bd466eed5fed3445560d52d
SHA1 c24e1895145b3066840be0d349f5e866e46e2a39
SHA256 ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54
SHA512 fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\sl.pak

MD5 299acf51d74b95ae4272730c437763aa
SHA1 8a0ff73f37d830b6677e514371a5825631aa455d
SHA256 26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157
SHA512 d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\sk.pak

MD5 e9bb6352cdd0f1c2fdd543a48ba076fe
SHA1 50053620d7be5566bb3ee588feda1a4daa207672
SHA256 441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b
SHA512 c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ru.pak

MD5 a0072d84d1bcb2fa7bbe7ae4e06151ba
SHA1 b9227c6cd4ff9f6db6a8edf694c444beccd369f6
SHA256 8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd
SHA512 fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ro.pak

MD5 36f8327b36f2c6c003f864895968af2f
SHA1 248d88aa9fe46cbcd013ea7d7270f8483215c073
SHA256 6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac
SHA512 bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\pt-PT.pak

MD5 4aa908b531adedb0ee795704ab72e248
SHA1 2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca
SHA256 72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c
SHA512 7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\pl.pak

MD5 ab94060826404cc09d5fed31f63cec05
SHA1 20d1cea9d2e60b9bbd4fddb38a652856a3561008
SHA256 03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10
SHA512 a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\nl.pak

MD5 9229e4ded3219c948747a4dc9a6a5e32
SHA1 9147b2f2ac3837588aa3b71eb4a255d29cab0e74
SHA256 d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb
SHA512 8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\nb.pak

MD5 c2c49ebaebc448cfeb7933ce2cbd6ca6
SHA1 c3efca0fee40a3daf7d69768d7659de60b3e2c4f
SHA256 67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774
SHA512 c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ms.pak

MD5 578dcc1aef901d00a57f2698a6e15826
SHA1 4dca370c3b22f9f54a62d31166a84848336a8fea
SHA256 e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0
SHA512 073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\mr.pak

MD5 fcaca3a4264563461b42b16d8fde4b02
SHA1 af37d4e73588d4a6d3d52f2dba67414393c9b168
SHA256 362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d
SHA512 9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ml.pak

MD5 70c0c80fdfc006be0ff502e0e6115b2b
SHA1 43f96be4652ecbd22677b18ffe2260b79bcca19c
SHA256 878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf
SHA512 c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\lv.pak

MD5 07405dc51eddde72e367737c093c20db
SHA1 c66b8eccf167060c43b3c53631fc0c95b3afe05d
SHA256 dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2
SHA512 98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ko.pak

MD5 c21dde26f43530135ef37323b00dc1fd
SHA1 a118e9713b155bd2999f04c3075f2e1bb05bffaa
SHA256 ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24
SHA512 0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\kn.pak

MD5 a4cce1cfe646eb2c268493603dcb358b
SHA1 aa19ee1cdf8776d07bf35614ff063aed5a798ef8
SHA256 01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806
SHA512 cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ja.pak

MD5 d84e12cecf6e4355933ed68816f090f6
SHA1 eb35ef52f341442dd887d43a52af7f02926d5288
SHA256 8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62
SHA512 9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\it.pak

MD5 cfb2ddc4caafd038db00c1e7378d316e
SHA1 2573f32a41735efde916f0a73b415ca689c0dd36
SHA256 9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d
SHA512 8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\id.pak

MD5 260d34aaada70c9d491bfbedcf5ca8d1
SHA1 5fa83a3e53e6aa9eede9fa34a84eb55ee8493314
SHA256 64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2
SHA512 a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\hu.pak

MD5 f55e37076460b2e8b5ed0f414618d256
SHA1 b313287de6197f1bf9f9770e3d2c99e70c4d8179
SHA256 61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49
SHA512 e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\hi.pak

MD5 6d3ce5a6049eda31ecbc55a9d3abb163
SHA1 100afed265c77a20f6636a0ab48c8a723e30b087
SHA256 8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531
SHA512 3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\he.pak

MD5 c47322869b458a1cd231f3dc385f80fb
SHA1 4155444dcb69c5b64711139cadb32a6df95ce3ae
SHA256 9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41
SHA512 ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\gu.pak

MD5 ba34657d3f5ebe61b36a807c4a053d72
SHA1 163875c4ef39e3473d9d5aec4b6273f34a90a02d
SHA256 8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f
SHA512 cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\fr.pak

MD5 6708a286a0529ba7bed9840d53035be8
SHA1 af289ed518d9d90c75b69a870615e3f475c5d0e4
SHA256 7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e
SHA512 b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\fil.pak

MD5 89a63085d14b1b80f259e166e6ffe56d
SHA1 d1326c879a6ad203489226f7c5be08c897be71ac
SHA256 00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee
SHA512 ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\fi.pak

MD5 3acdfec7edd4d3eb473f0deb32713c14
SHA1 41fdd4af5f9fa78f4f81d3996ecafd69587f05ef
SHA256 4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e
SHA512 b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\fa.pak

MD5 04f629bc5fa6d761f1d7b5dc28a6b97e
SHA1 d80f74a2b6508bae49b8344809062b48dc2b2dc5
SHA256 9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81
SHA512 ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\et.pak

MD5 97918bb7b36900705b1a53b7851db6b3
SHA1 f8cca656478c6e15baa8f344dda2704087f54776
SHA256 8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f
SHA512 6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\es-419.pak

MD5 763f8c8ce092a3d64bbebddf4169e108
SHA1 89f2834c1b4e3f84870af29650bda6fe360350f5
SHA256 0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9
SHA512 8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\en-US.pak

MD5 731c45f9f23957acc11b43d775758aaa
SHA1 12e66417a2dc0c5211ed67f026208ef02fcb40af
SHA256 02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2
SHA512 1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\en-GB.pak

MD5 a44922cb4cd8816b9ce3d018dba9e6a0
SHA1 2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd
SHA256 e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3
SHA512 461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\el.pak

MD5 35ba1b364ecfff6486daed2a33cc6431
SHA1 b894b392d400fde4d35bc3b4edc130853cda340b
SHA256 c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5
SHA512 5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\de.pak

MD5 5a252c49719970b8fb33fbc8ec98971a
SHA1 931834866af36a9e25582a1f631a8cbc965a8e84
SHA256 d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1
SHA512 d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\da.pak

MD5 c54edb2260d2b907049cdd4772d5313b
SHA1 a12f623e6310b667a9c38b4c9143920d08564377
SHA256 318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb
SHA512 4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\ca.pak

MD5 bd846046383d64073da6eb192f5cddb1
SHA1 6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5
SHA256 1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa
SHA512 521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\bn.pak

MD5 d179d38e8b9f7e60a943e2fc9f9471ad
SHA1 8d109081959d194c82b89fb25a514a65233435a7
SHA256 a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda
SHA512 fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\bg.pak

MD5 c80a2008d9f61c182430a728a6e059af
SHA1 2f2aa33573156d9939e3fc81f8d81de4aac21e61
SHA256 5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d
SHA512 016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\am.pak

MD5 92ffe73f193d41c5a90303955b2da67f
SHA1 1d4136d8bb752da2834ebf0f4f62de56efefd78f
SHA256 325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a
SHA512 6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\locales\af.pak

MD5 9554e414159d76754147d7e185056094
SHA1 e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e
SHA256 f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824
SHA512 9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88

C:\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\7z-out\v8_context_snapshot.bin

MD5 81870fb2f641c8b845e9c6d1a632f0b7
SHA1 fcd47d8d1232c189a1c4087bb03a015ce14c25ba
SHA256 875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840
SHA512 7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3

memory/1668-582-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1668-583-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/788-584-0x0000000002F00000-0x0000000002F02000-memory.dmp

memory/1668-755-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1668-756-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd8E66.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsd8E66.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsd8E66.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 960 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 3464 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2832 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3464 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1628 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2124 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2392 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1560 --field-trial-handle=1660,i,15471706491566341362,3712111011299238001,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gucbtndc.2os.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2396-77-0x000001E21D2B0000-0x000001E21D2D2000-memory.dmp

memory/2396-87-0x000001E235880000-0x000001E2358C4000-memory.dmp

memory/4336-88-0x00000173F2DD0000-0x00000173F2E46000-memory.dmp

memory/2396-91-0x000001E2358D0000-0x000001E2358FA000-memory.dmp

memory/2396-92-0x000001E2358D0000-0x000001E2358F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 26bdb55a0abfa930e1d12a27f17fd19b
SHA1 80d4043a229c1f0581790126e5d25d6d70db202b
SHA256 9377b2cea0e58c28caf60b36642a4bc104cab18fbb14f7d0c3208cb9a70d66fe
SHA512 a4949470fc5396c7d86d08668e7ff87b9426ae58d276db8f33c9e05eab55d06014cfc068399cc21745a0edc9920e4eed48bef6ad1c92e7d9d5c898fdb2b22e22

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5c3cc3c6ae2c1e0b92b502859ce79d0c
SHA1 bde46d0f91ad780ce5cba924f8d9f4c175c5b83d
SHA256 5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2
SHA512 269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 28c65370f12e84b734af87ad491ea257
SHA1 402d3a8203115f1365d48fa72daf0a56e14d8a08
SHA256 4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c
SHA512 56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9bd13b7fd9a96f9e36efec41d02c8750
SHA1 8fb8ef671310cce88b893f56541f257365502d6c
SHA256 fb073dace06964d5a017d5fa851da00a45080de9862866ff862469ea3f9d8742
SHA512 601326449f1d4e9030abf5ab4a2ef640006e9d894a7ab57a8c92995c5405e56fbbc836307ceec5b722880565a76463100a323b207c71a2caf4a0766e5e864cfc

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57e4c2.TMP

MD5 d11dedf80b85d8d9be3fec6bb292f64b
SHA1 aab8783454819cd66ddf7871e887abdba138aef3
SHA256 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA512 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c0c5132c736538326dc661e55a5c46cd
SHA1 ee9676ef1e4e27b7c1310b1e7d7445c27143e66f
SHA256 4862a5e02f3709cc22f363a2414af7e7813ef24fcbdfcbafc2a5ea24b3411052
SHA512 ed7f50a867e3e9f8d5dfa60b57aae48b6fc45feb4b26d1a754c0346a711d498adbceda0dc8a7d198ca05c2eba88baa2488e91df0f678e2ef9e9641de26bc4f33

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58f1b36a273e837f6e4a290733052ee7
SHA1 a596b6a97f55b84640e4e2773573aaa796653ff7
SHA256 dfefb199002d10e9795bbccf1a19c275ac0faf7b27c68b6d4f3b2fcf36df50e6
SHA512 8cf1b82db08774ff112572995cb8ecb23dfb5036b55fc0f63ef4bf66cca80d6eaf05a9e89cf902265d437c0330d9875800658ccd90ad9887d858667de10b1427

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f02179dd49afea4c3a182bdfd479bfa
SHA1 f5aa60570c034775e4ee625eb7e359dd961beeca
SHA256 2d11a1bd7fda8fab32f814673a251ac7a3f8fd416dc81a4137ceb73a16c10fce
SHA512 0cc9825321a132ca7984c15e2b3d154c88dfc6c284d4770448a854879b3fe03b0b8e6e3683c8193e3a0bd0b02c3afcba9457453957cd9c5cb6cd42dcca0e64e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f93951e235bc0183eaa5f1b353411c96
SHA1 99301664c5033aee9c53200c3b460803585560c9
SHA256 2341e36648d192816cf027206b5ec6f31ea87aa88e625ddb7b81688bb380b5c4
SHA512 89d49795e427f223178d07bce360c66e6773230541eddc867ff085065c8a339a8dddb9ef4fadc1da026b07db2754495d3a5fa564b56f75c9907a922211cec28a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4bc7864adce6efa2ba035eb450ed3f5
SHA1 c2c619f53c30e156fa7d9c81b2b0300aa97e1fbe
SHA256 cdfe81e01956d7f99d9b187663129055da265ba4fd6ed1c265d523ba6de6b154
SHA512 aa51610478d301eec6363e13854155d5d80d42807b15f7ef01cb3f488a8e96f884f1e7e060652a280f75d4c172f0524b5620262402c7eed1ffe41cc89812ceeb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31fa6751e50d42ac13bd27565462bc6a
SHA1 424f0d8babdb31195a2affa30a28643f0893cd6c
SHA256 33e16e7302d5d4ceb37603ca4aa433d6af3defb8297aef4f8f60818629ce8a5c
SHA512 0fdef395384f6954d817be2a9c79c0b2bfd1cd27760d0767833a22e1a8ee5c300aee18482753a9b018c116c5ff2c694dbf0b18b3b303dfc0be850042f29b40cf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a6419391d1082646a6cffac0df7c4e64
SHA1 b87e4253cbe7e37025f06d452d8bd4196cb683f2
SHA256 d048743e871d819c19400c1c839d5c39b5f9f8ad79ac02c0d3b10df5f27f2257
SHA512 1a996e2456e26e4449f882a47bbb250bab6592261c9c83977100a1a5b8c80e42c1c296076075482ec0caf4992a9f77a0523ca6c75409af8556e23d66f8cb027e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 27c3eb040e773ce2a8841e557ae70804
SHA1 942d5cdfa7d064e2a4b8d464ec5e6b378d6666d7
SHA256 96cca52a819876934c0508a9e6eece4ab06a8ca59d5076a0032ed14c524b9aca
SHA512 0230a98bd075781bc30b8bdd751e2d0dbe6b7707b0bd226991f44768b3c6db7da318ec67f77910427a1c3895c7d57e5c27789fe05d230dcf0ff21295a4c5beb7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5bc01774e20858b3bb186b046368a5a
SHA1 93c29a81d01ec4c09015131cdb8034c5adf67bd0
SHA256 5349b62296a4f4d576ebe927fb70c1c4c88704bdaf8df2270c236d6decbd1157
SHA512 5b988f31f41ffb516bd27a9e459a749262868d00797ee5ce943261b56a64995e76c93721bc0d91f3b318adc9be2104cba0cdcbe25321ce6a1eaa8a04c6857102

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d8a2b74b9388d036c096d8940375d5c4
SHA1 bc8b2197bc1f603297bf466dcb1af5bb07295c4d
SHA256 34b5ae30a806f90c5f77ad277bcbb1e3d25318b7ff434a81ac8dfc45514e06ba
SHA512 f7aea4d15c8c2975667fff35086c6c4e6427209aa7e4d7b2ddca5fb48530abd20205056ae42c36c07c1e5707977accc5093e1d3eabbd9188fa379cc367d34ff1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51ddaf2fbcc27737b3d5037cca105af3
SHA1 d95608a5afa4c25d724bc00da01185d881e27057
SHA256 2c5e51487093d715886ca782e8610d340d5314180be7ba30bea80668ab8dfa69
SHA512 b298b5c91f65b246d096369dd8a5d570afbd31bed87c70b7d43731c35fc8ec86341a4226dfac06479330285ea37b9f23f28ad6e4f0916c93cff189a13a47d15f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 76417e1cdecc7c4840b1b6d15c00f5ef
SHA1 03d6c18053c45ea157a1b40d087c8dedccda0076
SHA256 1cfed33b1cafd9cb5d0fc144abdd6d4376609ea423406c0c7c07662ba64806a3
SHA512 7a7e668159163c0256f9e82ec449e7e6bae305675199f2a6f002661dacafa3a286ee6b855cec57e2db6dd47ad5889ab37edcc906cf0934e089beebcd6c89c375

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

MD5 0bd511df2b2e9efdfe9e13c13cf9c767
SHA1 15ff6afe79bfa4aad388ebc4a3e1275698c5276f
SHA256 cca8c8f0bfae6a7e74dbd9fb80ddd4697fb6a903fbe379e923bd5a9eb107cdd3
SHA512 8bc4f8ea898e13aa7f0af2e9e4af5ba335fe9a5ec4da905b517449be4d098ddeb3fa6e8097d879305bd29063e1c1cf9a297a0dc81fc78f9e6f6b6d1b6a5de75f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7853d38514a8146ba2284981a40cb700
SHA1 68d959e15bec395a3d3596209255b351d178b91e
SHA256 844aaf758b1187d64ea3cb45d6a3fd69fe92e0c1242c2dc9e83fb3781f2d33f1
SHA512 a1694889c2d4357b7dc1c29e706e3f8aef5178ae6739ec0e4478ec62cf325662b20918f334caca63e79c97e0170d0cd4b0653f28e597b14fe53ceb48315e2ad2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dc0a1f8ea50802021914f31b9218ff53
SHA1 e3f030e14a894d97ad7d922a49d4b02836831652
SHA256 28d26af382012f6942373bd18c97719456ee881a75404cefc0348ffa291932fd
SHA512 3cbe874d61b12184c6853bf3959c2d6d63e923593523f7ad7aa9e92711ea8d74eeb7075150578361459d84362ddf53c3c6da9ed7be94f17943aaa798fb0e3f59

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8584236124bc234b300f39b400760cea
SHA1 843be35b2af23b827cbde56d4905e88775ad1a0e
SHA256 6f91b5f4b9a0692f18ac460822f35a33101d522495af6ceab9af31bce4ddbce8
SHA512 1d369990cc6676a487c5f01038e4474baf509e32d28a03e5d1a087821a97637ce9c1d0f2c01b05769d38e47f9c261a630d68705362495a7d950af6c51512f114

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe58d164.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

MD5 0fe47c9f2c9770d1fa187f1559f1c3c9
SHA1 bd5d8eb135a78fa7fe92c9ceca52ca2548c9083d
SHA256 7dde3df1894fb39f779e968c3476ebb9395813382f0df1f489cd6e58cadc7540
SHA512 1dbe2f3e359ff3b2fc61543e8be7691a9b038de2390d4c46dffa7ffb52265bfb3ddc7af2ce35ad77c616f7e491130640f7d1871f107e0010979d4a248b33a2fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ee4bbd4d8141d6983ff42682e0c8f1ed
SHA1 cbb46156e7cb293817113dfb77bdb9d13f737fc8
SHA256 77b7d2849e49df1fd6bbbe030317ee8954baef7ed00860c0b0c729fccd748f63
SHA512 9b82ce06eef3fb4ac1985f6528a96e2f9f386529948ef33a5c649501a5612b941230408cf0f8727d8f6c659eaf3dbaca206956d7d2cfe32eda1dbdecb10b4d4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c45a645e11900e798729785b77bf4bb7
SHA1 6741ba36b5fc34a2a1a118bb977723578f252034
SHA256 329b547679909d3d2bc481f3101f261911d9cf7dcfc3bce224479b31a576456e
SHA512 32eba7f627e833968ee011281d05b2a769d53db7c00c45dd39717e2e64f3d5474877dd9372bbd2652aaed827d887129c32980eadd18b2c47c3bd8f67b59d1333

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88d8905352133b581ccc0ed193856bc4
SHA1 d896cf8e5391f28b8a8c27e8feeaffe41eefb8e3
SHA256 ebee66d72b0bf4e464c93f941a0c0a9aa2137e4571f15c9be89104a83e1d54c1
SHA512 2d76ddd59d8a4695d57c25a821379d441b6761fdd637ad9226a5ec7ed03814a6d6e7634c77dc31f28fdec3258ca6e642fe4545b1e9a5cf2837d8618ada9ad86e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 989ba7edc43b500e15f2b916ce5a99fd
SHA1 94a2f7e685eef114971aeef618a6a9dd227fbc91
SHA256 81711ebad6d16b9f2c2754dacc2c4fb99039a359d2b584d398fc4886905adabb
SHA512 003b87c3685f4632f499724dab2a4ba55359347df4c141646d02c321a50c5a374efd45551c00a2a3d0f3b109c17c046d17681a649766a9a6f3f464544b34cb53

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e23159b24a04457ca9bfa36085f7ae2d
SHA1 802093d1131bfe5b2d688f52f1e867818185e2a0
SHA256 533463270189f80ab8d673ded5d2a6f0797d975356352b3372091214435cf6dd
SHA512 6cdb86956191f0a99a28173e1b794608ca51cade8356e5ce9d57afd7590c0e226843dee2998c3db5fd58bd5a49fa3a2b67e44d0897f98631da7e9bf331ec9047

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 43607b34727d4093b3c56b8e39a4b4e9
SHA1 7bfcefe644fef5441f31b73a5f37314cb3cf5771
SHA256 8abf1b466d3e919b2426cb5090fac38b63b623d072579e819d838d563ebe5ada
SHA512 f59087702875bc2ff49d2593360440c9ec7383ad04ab58a496fdf59664305a39ec6e6068676e2a6e9f69bfaa6966c070e45a366a1215f140b2161c4b2cf6e150

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 276579eaeacf363c5e1d003c4b310409
SHA1 d362d323c98f01a4c373e10fa4e3366c071e611b
SHA256 55977472091168aea3b17c03c921e45954134720491fcd10bfee836a1da563cb
SHA512 eebf3759acdc8e0923fbf72a0ae05fef890050b21cdea73cd04bb4fcbf8b8a88ce1dccd1d500b12bf8991804af3eff9c16ef4e6fb62cb5c80c42e63d5402fb33

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e80135180462862810164b49163707b2
SHA1 69fcb50c03fad47fc4951eaf654bd4853641a37f
SHA256 312b0b5a5c337c4c99b0a509e07a50a7d5d3f1d3993d29fc949af590a58f4c9a
SHA512 b89d3844d24a942a612947ab9a65a30d874a10ee6fe4b44a058c6bdd3d95d8aef3a439a3a960977f0031838b2a1b47698904147534953eb758ce4f832373e67b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc7ffe2b1da3d28e1a8a1f23ca25ac81
SHA1 abd2654bf25b47465b977468430fb801f8429067
SHA256 15034684519e2d03cfbf284c44d54e9d55bf1b35fe51b49cb2060d0ad39c076c
SHA512 5f9b52ad229d08c9a94af26849223725a90b6969b3d95baa402da9865e7e464f106da7d3301eef70ed895a01f1f1f5b826dae79d7d1719d0a19e6203a23611de

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 69fdb810bf95d5f6df1cbf743b4998d4
SHA1 09db709797a97223f62a2fab39a8268265df4669
SHA256 fb0af8c5b01041e841891a78bfab1583dfb94dc59f6817e2bc5d370e769cf972
SHA512 6e78dc2197a363de12e6a436d6ab3905ac9ff380534aeacb7b3b6a0a89b2434080b0b772a323ad254c9488c514bb329e969d43d366b5872f4dfd32ba3bb63076

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 81ad8eb93f1efe12adcb014675f3a03a
SHA1 c72c1b2a4948ce7631117176e2a126fa139fef05
SHA256 60cb94e2c41039f643ddfaf12babb62ff01f6194e4ba61f882f5384296ac5d26
SHA512 f77b8f1b2e3ef66d4ba8ce8622b7593cf281e14004a664c1ba1d55a116cc811e0088321aff9c4478bfa314b670a72962bed5ef31e016d94e13a682e9f43d9fbf

memory/3468-909-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-908-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-907-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-913-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-919-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-918-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-917-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-916-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-915-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

memory/3468-914-0x000001CDFAF30000-0x000001CDFAF31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2439add080938600be83763b57822f4
SHA1 056c3b1a84de10e2ba3a1c3e6a635f098f2a07c5
SHA256 d3de2f4eb66fa79e9d091fbee9df359e1eba5723c7d1bb9532af5c515861e0ad
SHA512 d0ffbfe8e2e19f51b56503e744d6eda5b15e1538a93a61ff0ad92c1c67522ada495f03e336852781de89832df5b933bacaca305d87b66de1472dda36a53c07a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 316ba4162a98ff003c76d3391603ad98
SHA1 3c3081e235974a722b5a15fdf99a67e68a2125e2
SHA256 245490b0b903075f4c62ae1d8e39d3298c7aa606310a740182bff3a358169ab4
SHA512 fe2d8d332014ca7c72f7f17d75a1a8de71cfd70f930ff9c638eb343c5c5a94b634e6896c372446e75a6092ca8b9c21f1fd1be7814b77c22d4acc08c1053726b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0fd0469f84481ad75c8239c8415a1a4e
SHA1 b8c1eb62d3075b02bc458f269414b9cf7f9feb12
SHA256 060b98dfd990fff9a7c339dd72c4da3968aeb055c1ae68084c86aea257747d52
SHA512 2c68ef8a52e1eefa54c59bf068e39ae920410a8706afc8fe7ace1f474a2ff971bf3a7557f2fa8f597aacdf17f2eff5bd93be664e573c862e413d662e3c369e1a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35290d5cd9df2c4a47bcca00981bb37f
SHA1 d40430173baf7bfe1d2494b01e64385e5bf67e19
SHA256 0b69cc352136c494bd869f581cf6c3b166f1acebc1ab9fb470cb729683182453
SHA512 e6244af8305a6938c2e9ca334339b5cd2a3a656f26e6b431a0041d008ef5b46fe62335444b288a4a74ff312a7f1221d19299e03a9a10c475b764d2d4b19ad7b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 17d4696ded887c120052961857470fdc
SHA1 9ddfe5b13c9fb62387cafac44833c2c2cff78bc6
SHA256 4379cfd30d913d452dd0388de7a09481dc2a800c87b7ad2e17f9f7834350c7c1
SHA512 92e5f811744b703010ebcce53d620e44b58776f6e8aacb348e8879011216aebe73e064d9c7822e7b88a6c06b0fee1d0f3aafd66b28027a9fb980b1cc9eca4f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0cde187a7e5ebb6d57cdd08ca45bcee0
SHA1 ed0fc42f07ce807e2c89bea9bd1a97cb31f3f3a5
SHA256 baa7ea1ae458a40f928dc062ac71f47bfb47c85fd76e1749cc4645d29fa5a15e
SHA512 f0220ae1cb689a20634ac0127993fc268e9141ebbd65e234a083711bd259ed6a9ee00a92024367bb148bf3a08dc70712c1f0d68aaa5cda8812b132121ba9bec8

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2356 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2356 wrote to memory of 2360 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2356 -s 88

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2960 wrote to memory of 2164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2164 -ip 2164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2088 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2936 wrote to memory of 2088 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2936 wrote to memory of 2088 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2936 -s 100

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3712 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3712 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3420 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3420 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2188 -ip 2188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 220

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 1784 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2680 wrote to memory of 1784 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2680 wrote to memory of 1784 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2680 -s 80

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

122s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 220

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 2080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 2080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 2428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 2428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc435146f8,0x7ffc43514708,0x7ffc43514718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1951281630346979279,12383867089974021548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b9569e123772ae290f9bac07e0d31748
SHA1 5806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA256 20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512 cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

\??\pipe\LOCAL\crashpad_4020_OGMGIILJJSQGZEFN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eeaa8087eba2f63f31e599f6a7b46ef4
SHA1 f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA256 50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512 eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c899b3dbc5f49fb4073eb8ee298f127d
SHA1 8de4238a6414c6b6b3050c6b1bc46267990b9734
SHA256 90d8a17559b88ecb2cdd36833c49b6080020db5ffd22cef662283d55281d9aac
SHA512 0638a149f30b38a5c40e2e9597a3ab4b7e992d0fee224e32af197dc9149dcc7aa146a463c7b235ff2a5c7264a3269e4ef71372da5f49f12b41fcfa923799ea33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fbec212e95476ed1396e46e029ce9bd7
SHA1 e003e3985c39d0daf2822f17afa2be741d59ef42
SHA256 c96c286cbead39643a5042525c911d9f5cdee3b33dfe92b57534cbf3238c064e
SHA512 6e708260adee91ad55fa630b697a35d64716a89ba99c0a8af62e4c6840c0d67fe4e43415ad77f07a6e4970f08174c34128448b9d876344d3056bccd923e9e2f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2ea34a9d3de7c53af9f8ec467c3d4c55
SHA1 a9ce3231749b4a786300d6474d8807aed43b8fe1
SHA256 58f506413b7e306e32adcfb1026515aecb62be5460888269cf51db8af6b1e3a2
SHA512 50dbd5dd73f184061ae350b3ae1edd305aa3e50e1a999eb6e6020bfcbeb128a0c2fc9649b4e57e1fabce047317a1b2629052efb8891d8b81e4df7b8ab43f4c11

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

118s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

110s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3748 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3748 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 996 -ip 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 744 -ip 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

88s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240708-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 240

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 3556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3916 wrote to memory of 3556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3916 wrote to memory of 3556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-22 19:09

Reported

2024-09-22 19:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x254

Network

N/A

Files

N/A