Malware Analysis Report

2024-10-18 22:30

Sample ID 240923-1smw7s1aqj
Target Ultimate Tweaks.exe
SHA256 30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966
Tags
discovery zloader execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Threat Level: Known bad

The file Ultimate Tweaks.exe was found to be: Known bad.

Malicious Activity Summary

discovery zloader execution

Zloader family

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

System Location Discovery: System Language Discovery

Browser Information Discovery

Program crash

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-23 21:56

Signatures

Zloader family

zloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 1512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1512 -ip 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4992 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba6b646f8,0x7ffba6b64708,0x7ffba6b64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,15642376453956414861,6573812177191311913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0446fcdd21b016db1f468971fb82a488
SHA1 726b91562bb75f80981f381e3c69d7d832c87c9d
SHA256 62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA512 1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

\??\pipe\LOCAL\crashpad_4992_EJLSUYWKCSMRZKNE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9b008261dda31857d68792b46af6dd6d
SHA1 e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA256 9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA512 78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fc2b167d075bee56a59b10710ba2afa5
SHA1 130636e6bdf65056b77d5350588e3efec6ab7bb5
SHA256 68402027d1590fc08512517164d8d7ec78e1a0161e12508908cfe07bfb12cb80
SHA512 b6112a12ab2e3248b08fbac3e4547325b73a0cd93f70b212eb6b8bac0c0835356f406068dc355548c828283bec0e0bdcb494e81b5eb4f3f600e3c8d73e82177e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b03b1d9914c3658f7fa393127faf4496
SHA1 1ee2175a227f08c02e6f5cf6258b812bbe0cbb66
SHA256 8824f140da13e8bb9384b862d6655f033ab61f9a490f7003169c3733c592cf52
SHA512 0b2b76cfe5e5b61037c5ee171f13f257b237d9a87de18b2eae4a45c7504ea10379b90ec9ee295097772593a274aedecf245ce22075fa7cebb591f104447043e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a0167c1b56bc6a170438e1206edd511
SHA1 d6a605ee8c3404305fcb1635cef3a35337144c6b
SHA256 79b4edbd9b606c67a0105c2d3cd8984b12f7f21393690f355b054f7712089f38
SHA512 604061545a4dd228b3ea806574243ef0fee43c52b33872fa9f9d96937054530509dca5ee670f5bc1b2e3573dd635cff54776257577931481973870fa95026b15

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2632 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2632 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2632 -s 80

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2016 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2016 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2016 -s 88

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2624 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2624 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2624 -s 88

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240708-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyC801.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsyC801.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsyC801.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240704-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 220

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3544 wrote to memory of 788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3544 wrote to memory of 788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 788 -ip 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240708-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

5s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 240

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 852 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 852 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

62s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4508 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 3156 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3156 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4508 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe
PID 4508 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe
PID 4508 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe
PID 3952 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
PID 3952 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
PID 3952 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1716 --field-trial-handle=1724,i,13394067492642898359,5528618231410757133,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2192 --field-trial-handle=1724,i,13394067492642898359,5528618231410757133,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2364 --field-trial-handle=1724,i,13394067492642898359,5528618231410757133,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe

C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe --updated /S --force-run

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --updated

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1736 --field-trial-handle=1740,i,15565128355141145415,6439661447983720820,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2156 --field-trial-handle=1740,i,15565128355141145415,6439661447983720820,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2408 --field-trial-handle=1740,i,15565128355141145415,6439661447983720820,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3360 --field-trial-handle=1740,i,15565128355141145415,6439661447983720820,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gsitwof.1ob.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1216-77-0x0000027A5F7C0000-0x0000027A5F7E2000-memory.dmp

memory/1216-89-0x0000027A5F840000-0x0000027A5F884000-memory.dmp

memory/1216-90-0x0000027A5FCD0000-0x0000027A5FD46000-memory.dmp

memory/1216-97-0x0000027A5F890000-0x0000027A5F8BA000-memory.dmp

memory/1216-98-0x0000027A5F890000-0x0000027A5F8B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 28c65370f12e84b734af87ad491ea257
SHA1 402d3a8203115f1365d48fa72daf0a56e14d8a08
SHA256 4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c
SHA512 56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5c3cc3c6ae2c1e0b92b502859ce79d0c
SHA1 bde46d0f91ad780ce5cba924f8d9f4c175c5b83d
SHA256 5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2
SHA512 269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0fac098bc4e11075670e413d71f44a7f
SHA1 afd7f3f1da5d2deefaadf1f7b7992c8dcec9b602
SHA256 6280d1d63d4d9398c9def401cb9de658b274f3c6b9b268094766ba06b7639442
SHA512 9e2701e1ef7d83a1dbabeced989238647ff4b1143fddf562db87740bde0f6b28cecc28f56d11172c37f8b2da640d4d6d5d0bd17f104f5bda69839b985f1795b9

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57f2ad.TMP

MD5 d11dedf80b85d8d9be3fec6bb292f64b
SHA1 aab8783454819cd66ddf7871e887abdba138aef3
SHA256 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA512 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2a21a825c8c5c1f30da93bfd335ca956
SHA1 adda8c9f675fa7afd75fac9be650212ae348a22d
SHA256 d0063d331b67040c80fa44e510c024ca3424f18ddeee2169a67ebeb0c8066c18
SHA512 653f54c1752c9b1a61f412e4b65ed86e3f382e572520e4f32fa278401dfa99efc09df22b589b6f95a95e3711eb1bcf320f62548c5475600ae90082dbf1a1f0aa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e0b0ef466faca97048f7cc31b81ca148
SHA1 cfa8c80a23effc58ae27539b573172871dc0b33f
SHA256 ddaf12354f59e3c757a64ac28b1218c4e9977292240aa81b44f0a5178baee93b
SHA512 eab21046d29b460af925bb31f4cd405c74aab6eb64d14c8cc2a3ab090936b066704336df8e3cda124792b004ddbfe524247e8eea743d9e6e732f1978870f6597

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 681fbeae6a2ff22576ea464e7bd8b6cc
SHA1 44e6372394624d8ffe4314589525676e713903c6
SHA256 0f68aeca5a23682db8a0f869299d1304a416d0a3aaff798a81e3afc9b946841d
SHA512 bd0fe811f35222ad3828581045c5a4846687b7137f7affbcb83f83b49b64261095eae09b166f59268234b465336e3f80320fbda6a7b5e7240bad68cf6a10f3a3

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

MD5 19a89575da14859f3ba2deccc7e9fb89
SHA1 b19d35a23ad5bea45ad8b4c17df0cf415d0daaba
SHA256 c1305e7141d1d907c59de20c7ffc68358daa9f92a80db70c68433137605512fb
SHA512 f11903a9ca5ae27fcb9f7359b223614d309d56de42e88cb35f380468ac24b40140aa983172e088404fb1664b16a1d61fcbc520076e331b1fd2c4c7008e393ddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b70deecb95e63cfb447d140f318f2fd8
SHA1 a6bde2d5cd27651df7f6851585b2827269bb62a4
SHA256 5298a4215f42417d88aff971ffecb62ce9c071d42ec5760a6e1ceb32f3d4df9c
SHA512 97119406f5d08d244304db5945c82824f2e26c70e29e2a14794c4f18b4177d8a0beb6dc518f854193a9f24954a37b8862b3cf37f47254eccb7b86291160b567b

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

MD5 91efb7e1445a343d12432d6e265d28a3
SHA1 f5a7896119f6011a8a26ca8cb03a72bea7c3d14c
SHA256 8202456f1592136e1716cd2a54a10d8f1584a29940340ac864993cda9b5e3c60
SHA512 ad3f788c40835697c2219a2523d89b68a35882bf9088ad67ca35529e299d95e9323b340b12816af18c43b0d44e0d79e314c4660628705b9c4e2e2b0dd16ee8d1

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe5828a1.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\chrome_200_percent.pak

MD5 e02160c24b8077b36ff06dc05a9df057
SHA1 fc722e071ce9caf52ad9a463c90fc2319aa6c790
SHA256 4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106
SHA512 1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\chrome_100_percent.pak

MD5 b1bccf31fa5710207026d373edd96161
SHA1 ae7bb0c083aea838df1d78d61b54fb76c9a1182e
SHA256 49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3
SHA512 134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\ffmpeg.dll

MD5 bf09deeeb497aeddaf6194e695776b8b
SHA1 e7d8719d6d0664b8746581b88eb03a486f588844
SHA256 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080
SHA512 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\libEGL.dll

MD5 3a5cbf0ce848ec30a2f8fe1760564515
SHA1 31bf9312cd1beaedaa91766e5cde13406d6ea219
SHA256 afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219
SHA512 bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\libGLESv2.dll

MD5 c783045e4b7f00c847678d43a77367f7
SHA1 7f9192ce0b23ac93561aeec9d9c38daa3136c146
SHA256 3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8
SHA512 64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\LICENSES.chromium.html

MD5 bd0ced1bc275f592b03bafac4b301a93
SHA1 68776b7d9139588c71fbc51fe15243c9835acb67
SHA256 ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b
SHA512 5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\snapshot_blob.bin

MD5 cadef56f5fb216b1fbf7ada1f894ea6d
SHA1 373d2a4266be5c8fbf61d4363ec47ddeb2d79253
SHA256 0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12
SHA512 9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\resources.pak

MD5 67bb5e75ceb8ced4c98cf0454933cb45
SHA1 c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd
SHA256 5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff
SHA512 fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\v8_context_snapshot.bin

MD5 81870fb2f641c8b845e9c6d1a632f0b7
SHA1 fcd47d8d1232c189a1c4087bb03a015ce14c25ba
SHA256 875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840
SHA512 7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\vk_swiftshader.dll

MD5 0a071201e4dd76996e273c81533bfa74
SHA1 5c92c634027692c344a8e74eab8b4d5c3e049497
SHA256 08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee
SHA512 b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\vulkan-1.dll

MD5 a6588e66186ccf486eede8e9223f0d41
SHA1 777a5c4028c7675ee1fc4e265a825b35d5099577
SHA256 419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6
SHA512 ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\af.pak

MD5 9554e414159d76754147d7e185056094
SHA1 e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e
SHA256 f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824
SHA512 9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\bn.pak

MD5 d179d38e8b9f7e60a943e2fc9f9471ad
SHA1 8d109081959d194c82b89fb25a514a65233435a7
SHA256 a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda
SHA512 fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ca.pak

MD5 bd846046383d64073da6eb192f5cddb1
SHA1 6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5
SHA256 1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa
SHA512 521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\bg.pak

MD5 c80a2008d9f61c182430a728a6e059af
SHA1 2f2aa33573156d9939e3fc81f8d81de4aac21e61
SHA256 5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d
SHA512 016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ar.pak

MD5 7608398c66cd0b55396f7250b3c8747c
SHA1 7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13
SHA256 3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a
SHA512 5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\da.pak

MD5 c54edb2260d2b907049cdd4772d5313b
SHA1 a12f623e6310b667a9c38b4c9143920d08564377
SHA256 318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb
SHA512 4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\es-419.pak

MD5 763f8c8ce092a3d64bbebddf4169e108
SHA1 89f2834c1b4e3f84870af29650bda6fe360350f5
SHA256 0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9
SHA512 8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ja.pak

MD5 d84e12cecf6e4355933ed68816f090f6
SHA1 eb35ef52f341442dd887d43a52af7f02926d5288
SHA256 8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62
SHA512 9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\nb.pak

MD5 c2c49ebaebc448cfeb7933ce2cbd6ca6
SHA1 c3efca0fee40a3daf7d69768d7659de60b3e2c4f
SHA256 67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774
SHA512 c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\sv.pak

MD5 eb39645ebed4f980ab12585feae2f4b5
SHA1 fc7c471b93f59bef13f7bb4669e683385a8b9dec
SHA256 ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7
SHA512 5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\sr.pak

MD5 02bdb4d99bd466eed5fed3445560d52d
SHA1 c24e1895145b3066840be0d349f5e866e46e2a39
SHA256 ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54
SHA512 fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\sl.pak

MD5 299acf51d74b95ae4272730c437763aa
SHA1 8a0ff73f37d830b6677e514371a5825631aa455d
SHA256 26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157
SHA512 d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\sk.pak

MD5 e9bb6352cdd0f1c2fdd543a48ba076fe
SHA1 50053620d7be5566bb3ee588feda1a4daa207672
SHA256 441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b
SHA512 c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ru.pak

MD5 a0072d84d1bcb2fa7bbe7ae4e06151ba
SHA1 b9227c6cd4ff9f6db6a8edf694c444beccd369f6
SHA256 8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd
SHA512 fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ro.pak

MD5 36f8327b36f2c6c003f864895968af2f
SHA1 248d88aa9fe46cbcd013ea7d7270f8483215c073
SHA256 6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac
SHA512 bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\pt-PT.pak

MD5 4aa908b531adedb0ee795704ab72e248
SHA1 2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca
SHA256 72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c
SHA512 7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\pt-BR.pak

MD5 f18cae95b8bb6760d370b435235c5629
SHA1 eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8
SHA256 952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b
SHA512 218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\pl.pak

MD5 ab94060826404cc09d5fed31f63cec05
SHA1 20d1cea9d2e60b9bbd4fddb38a652856a3561008
SHA256 03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10
SHA512 a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\nl.pak

MD5 9229e4ded3219c948747a4dc9a6a5e32
SHA1 9147b2f2ac3837588aa3b71eb4a255d29cab0e74
SHA256 d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb
SHA512 8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ms.pak

MD5 578dcc1aef901d00a57f2698a6e15826
SHA1 4dca370c3b22f9f54a62d31166a84848336a8fea
SHA256 e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0
SHA512 073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\mr.pak

MD5 fcaca3a4264563461b42b16d8fde4b02
SHA1 af37d4e73588d4a6d3d52f2dba67414393c9b168
SHA256 362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d
SHA512 9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ml.pak

MD5 70c0c80fdfc006be0ff502e0e6115b2b
SHA1 43f96be4652ecbd22677b18ffe2260b79bcca19c
SHA256 878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf
SHA512 c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\lv.pak

MD5 07405dc51eddde72e367737c093c20db
SHA1 c66b8eccf167060c43b3c53631fc0c95b3afe05d
SHA256 dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2
SHA512 98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\lt.pak

MD5 93a0a8181e8c251a2375645a552293d6
SHA1 57faf2e9f965a49d5294cf9759b9b50d87c2ad1d
SHA256 f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450
SHA512 51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ko.pak

MD5 c21dde26f43530135ef37323b00dc1fd
SHA1 a118e9713b155bd2999f04c3075f2e1bb05bffaa
SHA256 ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24
SHA512 0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\kn.pak

MD5 a4cce1cfe646eb2c268493603dcb358b
SHA1 aa19ee1cdf8776d07bf35614ff063aed5a798ef8
SHA256 01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806
SHA512 cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\it.pak

MD5 cfb2ddc4caafd038db00c1e7378d316e
SHA1 2573f32a41735efde916f0a73b415ca689c0dd36
SHA256 9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d
SHA512 8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\id.pak

MD5 260d34aaada70c9d491bfbedcf5ca8d1
SHA1 5fa83a3e53e6aa9eede9fa34a84eb55ee8493314
SHA256 64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2
SHA512 a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\hu.pak

MD5 f55e37076460b2e8b5ed0f414618d256
SHA1 b313287de6197f1bf9f9770e3d2c99e70c4d8179
SHA256 61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49
SHA512 e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\hr.pak

MD5 2f7462a076c14f2c2733a41dcc5ecf1b
SHA1 c453dbf62d1cfe85adb64ae374b6a79cff2ef97f
SHA256 6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00
SHA512 f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\hi.pak

MD5 6d3ce5a6049eda31ecbc55a9d3abb163
SHA1 100afed265c77a20f6636a0ab48c8a723e30b087
SHA256 8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531
SHA512 3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\he.pak

MD5 c47322869b458a1cd231f3dc385f80fb
SHA1 4155444dcb69c5b64711139cadb32a6df95ce3ae
SHA256 9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41
SHA512 ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\gu.pak

MD5 ba34657d3f5ebe61b36a807c4a053d72
SHA1 163875c4ef39e3473d9d5aec4b6273f34a90a02d
SHA256 8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f
SHA512 cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\fr.pak

MD5 6708a286a0529ba7bed9840d53035be8
SHA1 af289ed518d9d90c75b69a870615e3f475c5d0e4
SHA256 7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e
SHA512 b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\fil.pak

MD5 89a63085d14b1b80f259e166e6ffe56d
SHA1 d1326c879a6ad203489226f7c5be08c897be71ac
SHA256 00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee
SHA512 ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\fi.pak

MD5 3acdfec7edd4d3eb473f0deb32713c14
SHA1 41fdd4af5f9fa78f4f81d3996ecafd69587f05ef
SHA256 4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e
SHA512 b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\fa.pak

MD5 04f629bc5fa6d761f1d7b5dc28a6b97e
SHA1 d80f74a2b6508bae49b8344809062b48dc2b2dc5
SHA256 9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81
SHA512 ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\et.pak

MD5 97918bb7b36900705b1a53b7851db6b3
SHA1 f8cca656478c6e15baa8f344dda2704087f54776
SHA256 8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f
SHA512 6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\es.pak

MD5 f6f452e9fe45b56b489b2e99c99848d7
SHA1 c64384626ea966d3a24dfd4d6c2f42c1cc082d2f
SHA256 54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605
SHA512 f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\en-US.pak

MD5 731c45f9f23957acc11b43d775758aaa
SHA1 12e66417a2dc0c5211ed67f026208ef02fcb40af
SHA256 02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2
SHA512 1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\en-GB.pak

MD5 a44922cb4cd8816b9ce3d018dba9e6a0
SHA1 2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd
SHA256 e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3
SHA512 461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\de.pak

MD5 5a252c49719970b8fb33fbc8ec98971a
SHA1 931834866af36a9e25582a1f631a8cbc965a8e84
SHA256 d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1
SHA512 d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\cs.pak

MD5 926b4d7f540ce0b1912e5fb6383dabb7
SHA1 a7adbc83ef38092a90d964d61359a6caa1253090
SHA256 2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38
SHA512 bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\el.pak

MD5 35ba1b364ecfff6486daed2a33cc6431
SHA1 b894b392d400fde4d35bc3b4edc130853cda340b
SHA256 c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5
SHA512 5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\am.pak

MD5 92ffe73f193d41c5a90303955b2da67f
SHA1 1d4136d8bb752da2834ebf0f4f62de56efefd78f
SHA256 325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a
SHA512 6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\sw.pak

MD5 e2958cf2ab6cc74551c8360e6cc34333
SHA1 806aa1129f228ee48744cfa55d061149b37522b0
SHA256 51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a
SHA512 1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\te.pak

MD5 1f20952c1a61fa6e42a7f055de8986ea
SHA1 301ec89ca80695865d884927c4c07c6777fb321e
SHA256 caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7
SHA512 c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ur.pak

MD5 305d39b5de5a1935d786da4bfc736dc5
SHA1 8dd952fea4dae937b9f87d229638cd22ca197a8c
SHA256 b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8
SHA512 d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\uk.pak

MD5 7f8d31b43f7319164bc0f6453bbaf007
SHA1 4be254da0ccb13040489403cc2d8015f448292da
SHA256 e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108
SHA512 9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\tr.pak

MD5 4727af70df9094888ba46f3a62eff264
SHA1 d2ead301efab607d040c69c238a06d3b4d080717
SHA256 026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658
SHA512 5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\th.pak

MD5 7512a162ea0b65dd9477ac8c190136b9
SHA1 ae5fbce9516882a0d58da9ebee3c767c7ba4c305
SHA256 d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4
SHA512 425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\ta.pak

MD5 474a2016df48f886e91fb9fd331d9bf9
SHA1 2548525143292d7d150f5014b44ef294ba7c4189
SHA256 75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2
SHA512 a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\zh-TW.pak

MD5 337bba163068f2dd7ff107ea929c8473
SHA1 536ec5756f229696dd6f875180778afcee1966fb
SHA256 58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574
SHA512 000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\zh-CN.pak

MD5 156894db535f0fbe193d66c0afb4b112
SHA1 e347caa3c41ea7461c217c029dbca54567fbe27c
SHA256 cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0
SHA512 e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\locales\vi.pak

MD5 593d33203c539d027c5b5bcc13bb38c9
SHA1 2f6288bc43ddf31e49a733af97e3e9e2fb8a2940
SHA256 d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42
SHA512 7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\resources\app-update.yml

MD5 b0e31c54422860c9390a2e456d8f4624
SHA1 1b73cc7e00cbcae94a3ed921fbd055a393dedc0c
SHA256 897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf
SHA512 561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\resources\app.asar

MD5 04261cff6d42b7dac2b2429df634387e
SHA1 bd26ae0ef0c42a898f7a04a5bd8bcc7291ee11c7
SHA256 e0abebd549f6705666f056ac69cfa9989ffc9ea19eb86a562ac99ccacd8bee45
SHA512 0163f376c24cad9e2f189a60eec22f34ebc2526109fc9574a0c0986177e01179218507cf55e60c39a64d1b410f6e2cd2432b9523f6ac3aff7696106e6f482f13

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsu2A77.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Local State

MD5 b4b30ea8bac5f76203014d9895020349
SHA1 792e449682bf6124b9e24ae7028f8ecc54f8f7d2
SHA256 7eb5585003d78dc545f9b921b35ff5ed31bb5ccd645e5e4fc6d9abcaa85beb37
SHA512 cc877e3df05eb28012297ac4c48e6891c52e26533505fcf7a12f068b69e038d09ee21933d5649cd2ee3220c32e32c18c45e21989cb4325d1d1d424f525e07825

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_0

MD5 3e17ffcf8b60db795b3febf7452cccc9
SHA1 a996ca52b1e7d2fa0936f4aa7be4509e1d2c93f4
SHA256 58c21a40e3aa7d9202f867d65d50283db7c9792855563a2ec7b79adfc7434885
SHA512 4011034df1bd7173b0fbd1fdc331a264f2f4fa5f15f235eb1a1693e5fde2870a4213756b9ecc77dd96f616f8cdec2e298c23c54de85db1dec89870b6e9ab2f15

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\GPUCache\data_2

MD5 01189f3b77ad66d99e15254081b27294
SHA1 b6add8d48408408b0ee2d3bf61c7bb4aedcfb745
SHA256 8e0df422f53c06091336443a389e834bdc85a2122bd997315a14484ffb04cb4b
SHA512 1580f2d774f3fc8b1a5e0d2918ca0fc5a84eb22529f10e0d21bfbdc6634cb90467b909f7870a67ecb8d5d06a3784659e3a51e66da959250f5df3f39bbece8502

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\GPUCache\data_1

MD5 da1fdebf5c47f5b50daf358ac779bae1
SHA1 13cc5c39d57878df99f197fcf4e267d9af11aec0
SHA256 258cbbc7d1babdd17b97bceab66b5d0ddd4b1c5c2e7fc2eb88ddca14187aff0a
SHA512 648be09476ec81ed37a068b93379f338a027170f725b67affe21dd6305d33ba3b34a9520d9c896c781c78a10b3909024d51b4cbe807a7385c87119f6cc1513e9

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\GPUCache\data_0

MD5 c093ec76948f95f25622383e6965cb2f
SHA1 ee5a2a480ed789781660e06be608049341fa5fdf
SHA256 841b9cc2137afe496f5ba845b7b0ed3e72416bbc99ff11cf177e110a40c1fb48
SHA512 b868574955df25eead6bdc9424cd709b444af5bd9c0757dffa8e2713a25a61b45c325e7cb2d672dffaf7fcf356c04f193cf9ceb0f1ffacfa0f85850e4c45c9b6

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\GPUCache\index

MD5 5b3a7272797c16270e3e94ff5a4d4799
SHA1 4f977e5da2baacf4eeed9a443debd54207335b97
SHA256 f5f55a457b98a23559b100a9e2f326b2f1ab28a15b28859c1e76cc8121e30e35
SHA512 7a9bc2371f694e52218691da2592ea84392cc3fc04ba6676e52c6e6f2daf9f63c32d96f24f3cf92fe8ad8988601bdedde6ceee20cefd1e42dec88271488bf7aa

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\wasm\index-dir\the-real-index

MD5 a6af06189621ab461d8488a8ea4df9c0
SHA1 6feab72b1a09b949b64bd936fdf6caee19f2ec49
SHA256 3719aceaf036e347263a7e66f65587816d8015d0ccf6f96148ecc42122180ecb
SHA512 40e216ddf10c884a48408adb8d7de407d8112d22de654dadc7ad954ac1fe994d95d72c96a3ed6c707f95d2470b74271645979f8c02367eb62bc167818bf664ee

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Trust Tokens-journal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Trust Tokens

MD5 7289d4bdfbd73ed571278f95cb4c1939
SHA1 7c911f54243d9777a34666f4526a49c7e7aea244
SHA256 2d4ccf8ac8ae4f5c6ec8e0566210ff56585b6ba0290501a1a11ed9b23bfc226e
SHA512 6e7d48e18b0317449807c4ac2c377b3cccf5bd6121077d51152d7e188ba1ea3cf62372b7611036938986dd0c84465dbd747fe8580e3a699f8470229a6d57a749

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

MD5 91bc186990d89116587039ef2c7266ce
SHA1 8e7bd27810e0f742fd0f0ca8977e37ec85afb42f
SHA256 0459c0abffcdafa1d9db7c5e6483948a6b6ba40039ae37e8ca33ad773fb8b02f
SHA512 28bd6d7c73c7f01cbf1f332c3ac0d6ec4cb499fcc6dd0cba225fb071f193db7f71a0e7b791150d23d0d9a7fe7003c9075826f4ede7214fb4026ac9325d11368a

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Cookies

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Shared Dictionary\db

MD5 71ccdda9f3186c8e729bb559f93bb992
SHA1 3712c11bb21b8e2a74bb879d47b2819ed1ac14a8
SHA256 79b107307408e5ad9a145c87533316174fd13f4ad943497d079522fbe325b3b1
SHA512 19f8134fcd1211964111b07884b52878b1649644b6ec623bb586df1a9b7dabc7f8c8a755d2a52c908b563bdd968135f4f703cc35103696e40d0ab0020c8dc4bd

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Shared Dictionary\cache\index-dir\the-real-index

MD5 587fb4033d4673373cf13b4bd328c110
SHA1 b96df35232aca08318264b109b545ec0b8944040
SHA256 1912d6dc4a5c8d0d77f7e60018898249a2846d039ad5aafbb27522f9cff3495d
SHA512 8fff3eb5469e5e3a582313e10463743756635a0042f85b8cd6202e66cb994838d1d7e56a8dc7f6b302c962c02225111044ccdbc99433085f62ba10a4208c8288

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\index

MD5 9bc5cf09c33a0a98af32d5d9ad29ded5
SHA1 0f6a66516347b844141e6de2fbcc8045dec06a97
SHA256 d01c82442f3b4c9c015897e0eb3fe60555c24e2342eb9ea4b43446b50b8b2c3b
SHA512 0351f12e5a5c165b1bef97665642839bf0576af94724f570457ff943ee485de2605a1ca24a58c20fb5d4f7962bd25878ab54f67bd81949119bd791083a0ee2bc

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\f_000001

MD5 057478083c1d55ea0c2182b24f6dd72f
SHA1 caf557cd276a76992084efc4c8857b66791a6b7f
SHA256 bb2f90081933c0f2475883ca2c5cfee94e96d7314a09433fffc42e37f4cffd3b
SHA512 98ff4416db333e5a5a8f8f299c393dd1a50f574a2c1c601a0724a8ea7fb652f6ec0ba2267390327185ebea55f5c5049ab486d88b4c5fc1585a6a975238507a15

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_3

MD5 66d35ef0a1eb78db0d6e78ee985d2bfc
SHA1 c0d0a233ac892e7cd78bf1bb4f552c5f285b0865
SHA256 3a4c342810a8e452f3a87b693703d3e3a9ae5cbb6b5ff145da63348f3dc5bb33
SHA512 0cf2bbd57d0968fe2bc281773ea313e8255d02ae073ad756e603097c8edb78ae53d95c448714a5ac0f335826cec717005b7a805b8fd4bbe9f8c0ab750fce40c9

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_2

MD5 edce17b214a468bfaae4cd2b973127fd
SHA1 c07b97de606cec66d24157dc4d31ce548ad8075d
SHA256 761dc2ff369ef4af024dcb7aec69eb65de2f33a15256188d2c017072d41de04c
SHA512 3d417324483d01c179b3cf27cb2d0e94b5a24ce996f6e42ffc871b27f5416ff66e5b91595f3f45c97ee4519376d6e7ded9d030b493ce00dbce8518d6001ce96f

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_1

MD5 5edfab70e135767f18dbc97bc610fd4a
SHA1 deef042f7fa83b3aba8ca949ba7a02417efb6d98
SHA256 ff48167baabe94bf251f06f9863592a3cd9b44d71d0a68c1ec63eb4bf2aa9514
SHA512 46ab0d1cccded523a2e887e6f368c8c577910aa6a3699f8e02c912931d8bc882dfaf7cc5c39531cd592e2d0906bbfb0bf90467fd24e74cbdbbe3209609fd96f5

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Local Storage\leveldb\LOG

MD5 dcd6d1c18af2ddeae0cb0e2cffd20483
SHA1 f862f135c648c8209c28cfb84f057dbf07854c4e
SHA256 d039793ea8c7d2fb1668384c316a7f143b9e5748288e00aea47a615641d9cc16
SHA512 9cac804fbb098e3a19354163c65fdf1c889cd82170486a46dfad41d62b7c031c7a2eadea889b0c66e93068dedc271681607b775b3f8aca886ea3ee05ae05c2cf

memory/1416-1168-0x00007FFCE6BF0000-0x00007FFCE6BF1000-memory.dmp

memory/1416-1167-0x00007FFCE6BE0000-0x00007FFCE6BE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

MD5 366d63c4a3f81728a5a83dc9c967b37d
SHA1 5a2cea995d17ccb217b509b20b87489ef53b24f2
SHA256 f0e058fee2e89cc34166e991904a5cd65ce5c00db04326d180ce45339f1a2c18
SHA512 9768c31795c615ce9a67e8d5ecb920ea4ff1ed2461be36cd774cd15bdf03e22c4f9654c386d8c5c3f52e36eb2de47098f0a6c96c05f4ca1ce78db19006d94b90

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\js\index-dir\the-real-index

MD5 dfd94d70d371ce41ab610b44283cc335
SHA1 6e82e7e0f36c3ed574c494634088bfad4a46bc4a
SHA256 022c3e57e628835fdc586a8fb0ba80f8f156360e8cda0e1d3e27978ecf10bab8
SHA512 3f562a4a0dde7063b7b7886af080cf516fefaf987137318f27c99f1df8ad0317ae755feabff7668958b1d05bf7539251f7b4e27d7882a7f949884cf993c88fbe

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

MD5 e9446f934b1383870f40f729b0f05e1b
SHA1 1909d4e408f917225ed7e31e7f17f52414f8bd9f
SHA256 551f6e01ba980f3733f15234bb4ca1271ead1b695faa48825388df3051b3038f
SHA512 39f1d8a5c7895936c48bc42f51a07d10e780e1486f7e14569aa0889bb21e13be9e45e697a910ec1f0bd39157b1e7dcd15e1ba45f50dd2c967d080b5488645e05

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3992 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3992 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240708-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240708-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000007bddbc8a61563bf6417c3dae051da53936dae21d516b9352e41f202fa580274d000000000e8000000002000020000000070efb126c6558cd53a1cc738fed716bf5084ccda26de725c2a5fa49a3d38fd120000000a0d5fafed2562e19e33134962c45d23a0f1c396e94124408226022fafe677c2f40000000540e0c16327514368107731862734115b3eef8faace549f8f928c5099a33b7f3d9756f32969fc4a353e443f5ef9cf9600bb96d836f0f0f0bf99290fde4b62339 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708ac3c1030edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433290559" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED013611-79F6-11EF-9AE5-CA26F3F7E98A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000085c17e47678a970cdddba3f055df5d21b854278445f0763f33fc5ca3ea2d8c73000000000e8000000002000020000000829495193b9512ce5f7b80a8865e341f1dac641eedb4748e6e96de0e658faff490000000f7854e4d39f6ea94da10230e016a7c7f49ae41c1ce5804dce1f566e85960c12d804f0ce971ab734a46bb5ceed9b99d80db94a149a69f411c428797e25f8c303dfcbe7116c5fe204b2dd6a5a07d7b6b6b239ae35b5402d59c5b00311b12c925a6c886f98b9731cd992104ef88ebbb200b175a61aba06e9a1d3dd3a772ed3e18516bdecfa90c91494c41c9615eb680795940000000a8b901d6da9457cf38a6a713479ee4ea3e7801021d904d86da57a66e25e5342c7bc3941d6cdeb5f2dea2f047a9014aeb83fe1048b42b5ec7490bc649f9a3db8a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabE1D8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE288.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ad04744158493fc8b2618c678c7b72b
SHA1 d9d9611fd8fa6b7031b5063f142f1d0ff75cabd8
SHA256 9a953b1dc934cdd0b80a2f99a13157afcde666b93d3a0af74df1c09c4d7b31cc
SHA512 b2b4880bd436d7529bba55ed6a4e1e212579d09b4140f929b79b7b6aeb079ee7b6efaac49459b96d2e30141abef42d83c6db13f91e2ea3ac7f0d32b972653a19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c85ef349840813137d87afa94a36d5b1
SHA1 1b73ca06401c0991db630ee48b037048d5d3a1a0
SHA256 17e80f76c8b9b1abc739da5c2f6e2d0a5db5a02a4c54c0ec06c821d5bfffeaa1
SHA512 8fcbae41e3f16ee79463ced5fd37cc0f255288f725b3cb326829de1cd4d854c6d187548363637fc19c7bec7c6540fba175fe1b4c380c58b1b1afd4fe653f6fc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0adba09c972f439890a0707c3656d81
SHA1 5c8bfa40e10dbafd68a7f062a8319a4f9dc278f6
SHA256 4f625d1c04b518e648a39a5618b153ac46d5d01fc8d9979499801715e1d716de
SHA512 8acba4433aed2b7e8f1339bed6bdb4e97ade01606c41547468e3e1c171d453769fd9a8f7cae33a09da73609b9e3af2eb347fb3a21266e874923a8b5dc79f5285

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c2731a2d3f5586ed52951e07e7e13ec
SHA1 65026998a850150b52fc407004f60d863310535f
SHA256 4c6a2bb11073e5250f5467a11a603a87bc7c397e86d82da0e55c38529db910b7
SHA512 f6d40bb4e4708308f36e52214dfd723979fd998b98f539f3acfad3a8df718562bc513564a1fa1295875511c9c1cf09612c9c8ae4b954fc735bdf737576330f6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41b611e8d712e168d007af8b0dd4857a
SHA1 9c905885a81441511adbdfa9f5ecedd4c3fad10e
SHA256 e59f579d0cbe6794b1fd546a879446a41dcfe4e0a4deac2ca647bb9924e31e73
SHA512 6c335f9301d43c06c8c57e34d0773d49299aff721f8cc9b59bc6a9a981d00a9a4700a77e99bc51522345c6bcdc07821aea21933b75f1a12b270ceaf407c7e003

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 377574537708d4bed8efff3082be1a35
SHA1 0412d35e84ca9a50d84032a68c9fb3042d17547a
SHA256 5a35f06bfd40e2fe4f41f91e67d70d3d6d598cf25dc52073fc4f1f4bb645aaf9
SHA512 6936e12bfa7cbe30c93b6e31beba644f52fee459a3c02b348f44064c8888ce00c61e179a4d8e30c32660455c4ebc1a8c05783136369f8a7a74d4569bf58d89b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0c2e7c3d4db0738ea5a81e9c89572f7
SHA1 3993b629e635e23f637a57e2e95e30916e06d288
SHA256 e4fc6e3256671ca5b7d9bd92c94760d9eba59ab5740dfc8ce6c0fded7088d1ec
SHA512 84e5f61d99ad0f3a92fd2de419ffac8e73aa29cb29597be727cf4ca131cc0baa6fcc98aafd2684fcb04a26e4b196bb6ebe60fe4c626e3c62556aab25b44ee1a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2260bc6e7c2175de80bcd5708ef3ec2e
SHA1 47e5cea1153e58905280adee7bdb2ca683de0411
SHA256 267234d9f374f51cc3d79098d4805805180a81a13549ed7b0f025d093ddd1e25
SHA512 28edec7352ab29f50a309f6477d00805243b37fe96fac6f85171223f75ed4d549f7079e7d130653073df110d2113d8411c6eb31c856f220f720ae2b538845cc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1846db89c470690dc8317a01b1858c7
SHA1 b896119b281ba06c272dd287427c1ff819c6b378
SHA256 1a55f525a0977ed6a45f85ab5b6b31928fd1b053e73d95dacd050c4773f0c47c
SHA512 b4e05dd1a1a3d195eccbcdd7d7517bad73ed6bd7c554776e222888e0d202aab8ab380b8d7fc290175b84421711396866960cf8de86679253a2b1d591fb4fc08b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef2e9e53f88417dc2b84d09f6dd32928
SHA1 71869ab18bfa4f789e5573a62e57326780ecfeee
SHA256 52922f96153345b9ad62c30c3faa4375d75b3c6b0065089177f2b873a144e0d9
SHA512 c3499ad0fea1cdb22f5e4e59692ab13275b192817856709c2dc65493107be2f3f47124953b8b9a9b9e1411cfab68182249b131f9aeb996f0d3d59b971bff79b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2374156545beb4898c7df5ca4f6073c7
SHA1 403a2028a2048ecf422e42ab03eecd56926ea8fc
SHA256 a166a2178b45086a5714d31a7d79691fc2bbf8e04ef029d2ab94669637b7ec2d
SHA512 06f96ee75bb34a3efa1412b3ee305d75a06f8ba98f8d4194fd555717f8ccfa25e6036dce3d2728b04ed9f5f3f98a1e0a499c67014c840e310a2764f10724ad88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 109c9902143d5eacd0f544a31cc91f03
SHA1 4b18fb2a02b89027fbb22acf46fa4b7766f40b85
SHA256 ae27bb5dd907a8b2c5242c0b129984f5a99a71706a848b9f9ece2356e6a21825
SHA512 7162918f9c45a12dfecfecc40341687f1f6917c7b29bba6cc5ed590a27b0bbffeac69a6deb8f51e7fc522a17b01b0e73b2867f1f9b8e8bf52b8c8ea94f828c95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6305c8de8cc1ea9c43c6b88d3241706f
SHA1 1edac1f6bcf061d56404e0c2aa2d209f4b3e2a1f
SHA256 f7f8987fe8f71ede1de3ca1a071bc3f530726c0d9277adfbd750fcfb403bca2f
SHA512 6c9a12f175bcb6658fd6a4ce50524dff46a4925287cc4ed97838109c04637e76a9b63de28009536ed6c1ed23bc34c89d4764b8c6d56fe112d6c2ff14a5458390

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d1137e6e86fe6b9dbf0177c6da4641b
SHA1 b60b5071f252609ff587c3f71a769eb7f8beb23d
SHA256 735d66d97d11cf9aa1dc2f171c5aea1817a3130ca71446db76897dcbd6a82c1e
SHA512 daa9dcdf01fdead2b7da3596ce43971d2b77dd13615ad5a46aea5c5cdd5a76dfd9216ff57303f918248dae2e26ae745554ec450cd96b4a4d042005ebde99437b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f01828596d61ee128b6da33af1cd17d
SHA1 1b287f0ed8389d12abb4e9673255527907595230
SHA256 18190cd09704e9ce3a53dd0a02972a9908ff04acc3ac024938f50bc9c61c0ce1
SHA512 8c7492fa4362031b3f3fbefc93793692d0fda21b7730fd25e281237e9d504a0053231bedcbc9fb982974194ec1a0f5e11400de9d03b18e08899a65ba24cea182

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55128f87279c445c550aff00374af991
SHA1 65ffdc1f27e259227750b04fcb1f489bbdb1c82b
SHA256 3e1858634f9a07d1e7943b1f85184bfd2c9694960bec8e950227bdbb612d0fc7
SHA512 3e3146f0f6c21d66f449ad686b3cf38bcd0fc5367347dac874f44aade12816e71e8ad9de5c1b737fb283a3a6ddf31fa70464f0652e4205b186953db0e7bf8692

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 907150c8ba52b6d59a7fc617a5b34489
SHA1 c0fb61b59f4ddf5142aadeb2177ea7afba25b3e3
SHA256 59a850a68f189c8fc377653f554c278364f468be239b4f532c81083a0270cf5e
SHA512 f687567b32b1cf025aedf76de7ece014e42d5a176f6741a13f4733482b6966b85485f741b2f2b504fd5f73ca4a21282547dbb1ccac4f2526c16f3265e3de95d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf7ba34f017c5398dd01d1b778db0475
SHA1 bc40c6fba42182c9099207181e3792b1b287c4fd
SHA256 91f32d8bd3ee1ca6a76fc60dbc790e69d2cc67e7e20fbbe8a93032c620a7791c
SHA512 ef600e6e142572e5ef9d5ecd56afb19142741b3689ca53934f8c162a84acdeb1f3ba717f1e55bfd0f001bcc61b93433528f32a8419b2bcdded5b1266f59dab94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1bb0024072522b24ff158e355620cf6
SHA1 b624fbf66712fd75a3b3c2734fd6e78c61df0fee
SHA256 8cd93d5f0492fc24aa08433e3e4178ef1eb2b309177bbc72b020e8f1748cf25a
SHA512 e682fb6c772c5b679c553e7b11449c7213c0f76190bc74d9f99873d9b46742ca94c7cc53c3cd0e7050eae94bef0bc5953981f9dbb8b87c3213b3c37786a88630

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

9s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

117s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-23 21:54

Reported

2024-09-23 22:00

Platform

win7-20240903-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 220

Network

N/A

Files

N/A