Malware Analysis Report

2025-01-02 13:36

Sample ID 241127-wjxmtsznfr
Target 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
SHA256 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
Tags
remcos document discovery execution persistence rat hawkeye collection credential_access keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e

Threat Level: Known bad

The file 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e was found to be: Known bad.

Malicious Activity Summary

remcos document discovery execution persistence rat hawkeye collection credential_access keylogger spyware stealer trojan

Remcos

Hawkeye family

Remcos family

HawkEye

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 17:57

Reported

2024-11-27 18:00

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2260 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2656 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

Network

N/A

Files

memory/2024-0-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2024-1-0x0000000001120000-0x0000000001220000-memory.dmp

memory/2024-2-0x0000000074290000-0x000000007497E000-memory.dmp

memory/2024-3-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2024-4-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2024-5-0x0000000074290000-0x000000007497E000-memory.dmp

memory/2024-6-0x0000000004F20000-0x0000000004FE2000-memory.dmp

memory/2260-16-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2260-22-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-14-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-12-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-11-0x0000000000400000-0x000000000047F000-memory.dmp

\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

MD5 1e3d5cf8e89402325bca1e6a1329f7c7
SHA1 bc31f499894600db104ca347f9e9bbcb6a66c539
SHA256 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
SHA512 8a6297f965cd6228e6b63fb3c4c2cd88db6488d8459a94e6f20706454c4af4fab793abe850fe16d1b18149bef0d54240fcd4e1c25c6a42fb8ba36494a598cdbc

memory/2260-9-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-7-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2260-30-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2024-29-0x0000000074290000-0x000000007497E000-memory.dmp

memory/2656-35-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2656-36-0x0000000000430000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f0d27b882dd6e1c9388b5c6f828bfe0c
SHA1 ceb56b27b6ccc3525007266e9042b9bc8b99beb8
SHA256 45629ca452a66a9c50740197ad12c3cf33d1b830d9d521df38d3e2e65dde605a
SHA512 0c032e42a11b2ceeee5eea9e67dd15cd582519ce6706804c71a240a513c6f1edb202b224c3035520c66bb0a3a2ef229966214bac31023b9c459fde9f63f2f260

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 17:57

Reported

2024-11-27 18:00

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{F7A01854-C047-4FD6-90CC-BE0676B4370C} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{1EEDB7B9-4AFC-418C-920A-CD6B05CF8852} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 4884 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
PID 2120 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2120 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2120 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4168 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4168 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4168 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3188 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1188 wrote to memory of 4748 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1188 wrote to memory of 4748 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3188 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 3188 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1188 wrote to memory of 1040 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1188 wrote to memory of 1040 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1188 wrote to memory of 1040 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1188 wrote to memory of 1040 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\ojkchfcrfholijuascxcz"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\qdpvaxnstpgqsxqejmkecbxv"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\qdpvaxnstpgqsxqejmkecbxv"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4f1bcc40,0x7ffc4f1bcc4c,0x7ffc4f1bcc58

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\bfvnbqymhxyvudeqtxexnnsmkrmh"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2268 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc4f0746f8,0x7ffc4f074708,0x7ffc4f074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\rjecbqp"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\udjvbianwc"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\efwfublgskpuq"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 25.48.138.45.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
NL 178.237.33.50:80 geoplugin.net tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
N/A 127.0.0.1:9222 tcp
DE 45.138.48.25:3333 tcp
N/A 127.0.0.1:9222 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/4884-0-0x000000007490E000-0x000000007490F000-memory.dmp

memory/4884-1-0x0000000000F20000-0x0000000001020000-memory.dmp

memory/4884-2-0x0000000005F80000-0x0000000006524000-memory.dmp

memory/4884-3-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/4884-4-0x0000000005A20000-0x0000000005A2A000-memory.dmp

memory/4884-6-0x0000000005D30000-0x0000000005DCC000-memory.dmp

memory/4884-5-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/4884-7-0x0000000005A60000-0x0000000005A72000-memory.dmp

memory/4884-8-0x000000007490E000-0x000000007490F000-memory.dmp

memory/4884-9-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/4884-10-0x0000000006530000-0x00000000065F2000-memory.dmp

memory/2120-11-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2120-14-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3936-15-0x00000000026A0000-0x00000000026D6000-memory.dmp

memory/2120-12-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3936-17-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/3936-18-0x0000000005150000-0x0000000005778000-memory.dmp

memory/4884-22-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/3936-21-0x0000000002650000-0x0000000002660000-memory.dmp

memory/3936-20-0x0000000002650000-0x0000000002660000-memory.dmp

memory/2120-19-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

MD5 1e3d5cf8e89402325bca1e6a1329f7c7
SHA1 bc31f499894600db104ca347f9e9bbcb6a66c539
SHA256 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
SHA512 8a6297f965cd6228e6b63fb3c4c2cd88db6488d8459a94e6f20706454c4af4fab793abe850fe16d1b18149bef0d54240fcd4e1c25c6a42fb8ba36494a598cdbc

memory/3936-32-0x0000000004EE0000-0x0000000004F02000-memory.dmp

memory/2120-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3936-34-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/3936-33-0x0000000005080000-0x00000000050E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0oyckfky.gx3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3936-46-0x00000000059E0000-0x0000000005D34000-memory.dmp

memory/3936-47-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/3936-48-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/3936-49-0x0000000006590000-0x00000000065C2000-memory.dmp

memory/3936-50-0x0000000071920000-0x000000007196C000-memory.dmp

memory/3936-60-0x0000000007190000-0x00000000071AE000-memory.dmp

memory/3936-61-0x00000000071D0000-0x0000000007273000-memory.dmp

memory/3936-62-0x0000000007920000-0x0000000007F9A000-memory.dmp

memory/3936-63-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/3936-64-0x0000000007350000-0x000000000735A000-memory.dmp

memory/3936-65-0x0000000007560000-0x00000000075F6000-memory.dmp

memory/3936-66-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/3936-67-0x0000000007510000-0x000000000751E000-memory.dmp

memory/3936-68-0x0000000007520000-0x0000000007534000-memory.dmp

memory/3936-69-0x0000000007620000-0x000000000763A000-memory.dmp

memory/3936-70-0x0000000007600000-0x0000000007608000-memory.dmp

memory/3936-73-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/4168-74-0x00000000051D0000-0x00000000051E2000-memory.dmp

memory/3188-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-85-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-83-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-86-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-87-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-88-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1916-99-0x0000000006230000-0x0000000006584000-memory.dmp

memory/3188-100-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05fdefb4980c87b82c4c4a25601234bd
SHA1 e05f93aa223a928b00fff3ba3d812c08ecbc9456
SHA256 9a54785e07ca675428dc1b06722e0510c21368325c6a95ce5e38714556188a8a
SHA512 64b73bece05cfbf6bc254ac755e1505c99dc63b20050010778d576339549351d53fc89054ddf417957a0ca3562ea34056005eaab6167018146a688ea044cc33d

memory/3188-102-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-103-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-104-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-107-0x0000000010000000-0x0000000010034000-memory.dmp

memory/1036-119-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2732-123-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4788-128-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4788-125-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1036-124-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4788-127-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-122-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2732-120-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1036-116-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1916-115-0x0000000006740000-0x000000000678C000-memory.dmp

memory/3188-111-0x0000000010000000-0x0000000010034000-memory.dmp

memory/3188-110-0x0000000010000000-0x0000000010034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 4e7fc08dd4789c93c9cbff95d0fa97eb
SHA1 f08904aef3d78a1819021e4db14fbd190c8dbc90
SHA256 a185f80dfa3b4bd9942f4230d8706fd106844b8ba4392f29561fb326e217b3b5
SHA512 dd4c2f2393e6ca50749d1b6ef51c81612cc381a83a05fb4fbf0b8c3a9755ee22944a22e3f69c86a6ee8054d9228e181c595bd9a2942273035a28c96596d4c53d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 ebc04efe08c5b479d966dcc4098ad9fd
SHA1 982c038afc8f5c796145ad9f244dd630ed49ed85
SHA256 0cff7fb1fa385668dd0006c0ae569a42ade53e94f948aef3092a176482374144
SHA512 a8d8f13c25f0c8c3e2576043c84aa4224a188483dcef98d8edb9bc0c83d4232e74e444aba2565a7c76192fc3ad71de2ed4c6b9ec68426f16eee788d065bf143b

\??\pipe\crashpad_1188_QKFXMMQFCHEVYMJM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1916-170-0x00000000078A0000-0x0000000007943000-memory.dmp

memory/1916-147-0x0000000071660000-0x00000000716AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 ca5140511af74322c725bb305000e0fd
SHA1 000c141e937864f0210cd6ddcf2503f73b0ea074
SHA256 18d1a4b935b714f0e0efc39e97b3ce3327e0238a84f75247cfa0014350297e67
SHA512 429498bc61e1e84e98dfb1eaa8b11cfe3f7a9814e5d89c547b02d2c54778e19f0463c41f5e662a060e516651c37139e4023dfbfc1119c7bbe8d2ea31f24ff490

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/3188-204-0x00000000045B0000-0x00000000045C9000-memory.dmp

memory/3188-200-0x00000000045B0000-0x00000000045C9000-memory.dmp

memory/3188-203-0x00000000045B0000-0x00000000045C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ojkchfcrfholijuascxcz

MD5 ac300aeaf27709e2067788fdd4624843
SHA1 e98edd4615d35de96e30f1a0e13c05b42ee7eb7b
SHA256 d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9
SHA512 09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

memory/3188-225-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/1916-247-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

memory/1916-256-0x0000000007C20000-0x0000000007C34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3188-270-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-271-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-272-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-273-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-275-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3188-276-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3636-277-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-279-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-278-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-289-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-288-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-287-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-286-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-285-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-284-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3636-283-0x0000000000930000-0x0000000000931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 120b13a5e5053448e6ccaaeaf58245f8
SHA1 c1d6160a1eef4e60388dd614376e604687a60e5a
SHA256 ca8eac8c9714e6e8265b87e8510b1bac40079d6257a85e2551029596d43d6c11
SHA512 ecb4298a5aa388b54ebea120a56f7790f2a7e4fa9114f25826914494a61bb1a96bcdcac026f8c220b10cf17a5d1245504c55cc921fc46f80d75ca280afce2920

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 bd73f49096939a99d2744aaa159934c0
SHA1 040c188c15800343e05faba00718047e3e8f78a2
SHA256 01dd13a31cee72fab6770093fd6db3548a97e481d61fd3be84292cc2fd5527dc
SHA512 fbd72b9be37088bea1e4a6bcdf6102197aa36a8e7a4343dbb3311496ff1a87b4467c4f09563e5c6bfa50763120e79bfb378afe109f27f14ea88952700620eaab

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 182389587d072e6e23968202c9472e1d
SHA1 7845c8ade4ef69ea5bdf9050f68a3bbd8e26a1d2
SHA256 c1ec9b6291d064fb3ba81e80de6160c2f95cbeeb9fcf6a1761058f8a8fc2de19
SHA512 9033a14ee0f6dfd56ad56dc8882a2e5d2ebfdcc66517cbca9c5e6b237095c9d08f0433bce8e2de4d5471c34d9734105cf56044f2c6533266a489e6c408437f76

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 6b4c567bc85577f2a6a845916446b600
SHA1 fa4e6802038888c2641de47efdd7a10b3e49ec23
SHA256 42be63c53e2790080c2b45c2a3e61589677007ac43686ab9378955707011084a
SHA512 69b55194e91745075bdbf8db0cfa977b7701b8dc360649542bbb6b9643db32bc248fa589bf387175748af0263a158ecd341e5ed2d5619cd0880d51986a115f7c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 774e69ab9061df55fcaacb61b7c36e95
SHA1 069db90e96c038853d7d56a9432077f7db91606d
SHA256 ccc7f9190449d8cede247bde8289d606f3f8667732fc4b08c0742fafee44f01e
SHA512 9425772aaf2b0a6247696c02051f4a6e83638e10fb44e4d2afb5cbe1798991c3bc1264a3054ab70e15b5c1371ca3553aa15f5c05d3ca244a24a8fdec20ca0d2e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 f083762bcffeade3b6ed33596419512f
SHA1 a7480e5812bd1e2aaf9574f2f097bc2dc62c5920
SHA256 a6eca5d92b84316584edda92c8166b85a0714e8ae4cff4997b519c9a4b4a2131
SHA512 24776c63ef67d1908d0d0a56943e01564678c8c8705e9aae6d69172848476d8a56f5533ee68832c754fe7de7577d7c6c4acabbee2cec073f5b65f0951a6a9642

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 2acebf927006b331b8e0cba5db3bf70c
SHA1 eb1c88769dc694740cf679b76ccfa290ca3b617e
SHA256 f6d20a84f9fa923ec2317f9d0a84ada39d4092039a97ab4bf9a0c6e5c2991f1e
SHA512 a399fbd0204f33cd34b1408ffd88b8104205a47269155ca28f2f52b83f0dcd2ea675e97e2487904cf2f323462aa078367925faaa423777eb7161e45e89b01559

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 2cb4980104631876e8992811c812f338
SHA1 afb4b4bc82520025ef7ed9c2679b90518d72138d
SHA256 8b3c0378d7f2cd4d16c554337e62b8aafe030f9600c19d2e4fa85302255756f1
SHA512 4ae91fb4be7becaaf8f8a0c57ca91a376285589cbd7cfa02dd577d4989505985b9d228b136165d137240b0a9b49e574911eef6af2fd6b613708ca02c4baf1e32

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 5af98e82c9e2abd0d1cb01f1c3aeef1b
SHA1 0dab3a005cb70ef91d0b5ec55d9d2167b7cc6f96
SHA256 2b4705440c11aeafeb2642d352259f73182e517afcd0a3f9766a774f74c004bf
SHA512 d107a191b244c452dca08b25333767aace7bce31cc728a89c092b27fc93f3d8dd4747de996bfac2d0127fbf1c476d98dbb85d4f9c3c9136901c33747b06fe5a4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

MD5 e4ed9f8dd542db021fa7e132222c41b0
SHA1 1d1dfddfa3fd02b8bc0ab76177608c63b64520ff
SHA256 bb7fb5ddaae1f1c0b9b83b4fd1583f701391c52d57765541a6d3281c9a8a1f3d
SHA512 9810c2ab6b3e5e639b506af90fdaf668d1f124ae27f52d8b675943a7937e75db7c2343ebe6e3d5326c2264052735ee7296be210298d384e1db0b0875f74789dd

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 72fb8fdc79e886886d9cc89b88ef11db
SHA1 b602840b49b5e657eb4f9cab689940c94179ebc4
SHA256 623fb553bc909b8b591b994a232f3361b993a75d89d3374fa433af91ce63dfea
SHA512 0ac23f265781a01f7ab0434e4dbb9e1af441cd0227d317af3f9ab436a44585321b209e167bbabc7461e28407dde3ba3519d67c44d6f1762ad0fa4f151dd82f92

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 03f5b0d0cde36047423d3f5744da6aec
SHA1 76afd3c804078639efd8db85925aaff22cd7eabd
SHA256 9047f92d0844c71ca1e579e82ac66980b998ea13606175c4094b37dd4c515745
SHA512 b4958125b5bda3be2b898ea7cf4580c82585f41ebdfb8859575dfc0bdd851cd206d12c268bfe2b0cd29b3a32415c012a03040a17800c14ce525188be61def59f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 4a5608e7b65ffee46b671f9a84225f66
SHA1 a4968dbbe1d3a202ff9ae0581a71464b492e3709
SHA256 55ac8d61f1493aab07679b89af4ae10e6c2c2897fa509851d5bbacb637ccaedc
SHA512 6bbc24d883023c31eaf8b8a84e2d52bb2ebc17745c994931f621597c955a62cd65f09c021d49630bc239d235c8086a315d8a8fdbf4157fbff8f66598e04fac0f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 c4e36c873b80bc3c269c5d3bbe06e6f1
SHA1 b93bd0e2751e49a8b5dd3e598714aaa72df085a4
SHA256 effb10ca39a63c0aaeca11013efb844e29b3286036daeefd6aeeebe754e93fe9
SHA512 b445947a43bc123d2ace64f7690feec15f8fc6ae490a4ba17f47b538d22d6b6540af1ed9a35eb78a847fc7241b58796eba541c3907cea0a708a068b7cae5b084

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 c82c2d23df974d16ef4dc6823f0eeb4c
SHA1 1f57bcf4db271d6d33bd4da9ad5c7fd3349a6921
SHA256 d3841eac4d3e7bb72d3ac6bf26f9c7631367c658f8d51255d9ee57ee8df0fefd
SHA512 24c6d28ad9c78e33bb9adc70a6ddea2c5726fc5ebcc285ceb62f8bc252e8448e66edaa315c4e9a50350462c1fdd3a77643688bcc68543b521644fb445d769a19

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 53561602e3e7c45ae19bb25e279bd465
SHA1 d5572776764fcdc74a5735334f0a30aeda8f4634
SHA256 2fdf347f2426791f74cf59a2ae6c55255ee92495bda7e37d92c0a57e0639227b
SHA512 bd4385da1362eb421b045ece9d7530247f4e1595487ccbc1e513452d3f88d61e892f5cbf69eba2c4c137b1ca3367a7458ad8fee9c5d7ef8eb4ea24b0263a9156

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 018191f390ab396998d4f3ce32ac9d6c
SHA1 5c50f2e8e2bf8bf0978dfd95a70d08288e645aa2
SHA256 17a148bfe1a0ac971b0418cac309c2861af214a8b836a85bed85e77c88f58819
SHA512 eda92cc1f28e18780d9314a392b0c62c26869dfcf894f59c1fc20a81b9de93b167059b849ee05c683e229008870179dcef7e38a32c63ae8312cf3f9737fc0dda

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 90c3dbf30e7717f74ca12fe201e73b0f
SHA1 267e98b299ffecd9b5a91a7142c57b7ee37895ba
SHA256 1ef3f73e21466f8917a844191e7464e6a1eb61dfb3144fe5d8e8a40b61f6c4c6
SHA512 7383ea3f9da243645d120aa0dc4c23347dba389af8fd14b36ef06183b994d7764ad3336aa38e077ace8560dbb50746cc3e1872c0f45d7edf8bee11e504280343

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 f49e60b905a6f2b6e181580e3105d930
SHA1 9d203cb9d656fd7e544da1a8a705e564fc6398ae
SHA256 a2837a95e3f5ce5a27f2e7089958a8a00dc93ceb40a4eefce75b73a1d5c2b2ac
SHA512 618436a616d9806fca99bfc0ee3432f86a6ef7bd3f662b1fef6194682b3dfed1184756f82592a82dca76956b40a6da08ca6ed80bb4e0ce9b656189feffbcc03e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 82a6275d21340097ff840246e52f3efd
SHA1 9a7d9ab6fc447c3be9ac3098867e4b93e404ce9a
SHA256 a37370c9884af48ae746ef53839f337f05173c63b6f30c9cb4f40d64f6475c0a
SHA512 e3fb24639dc97a36a68fdb5f48aeb8d7bdc207a8766fe808707e8dc5dd2f5909d40f3fd74ec2bea299d835a9a477847f3516efc9f39e2a81c93b349bca8f63a5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 2bd86bed65ac1dcfe5c2f2259ec72b2f
SHA1 c6af66b486ec4ee8e454658b44fcc0a3aad3ce2b
SHA256 41b55fe9083760b135d88f26e8b490f9acf9a9a646516fec0779ccc8ca3676e7
SHA512 9eaa2535ca8a439085514ee3da91f07fc268b55dac89d9f50dbd06838f4c3fd501cb0ad6d35a0ed8a3337558cbc27ade35514bbd8ea1cd2a4926b6479a949688