Malware Analysis Report

2025-01-02 13:36

Sample ID 241202-lj59vsvpem
Target a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
SHA256 a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
Tags
hawkeye remcos document collection credential_access discovery execution keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3

Threat Level: Known bad

The file a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3 was found to be: Known bad.

Malicious Activity Summary

hawkeye remcos document collection credential_access discovery execution keylogger persistence rat spyware stealer trojan

Remcos

Hawkeye family

HawkEye

Remcos family

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 09:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 09:34

Reported

2024-12-02 09:37

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1580 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2900 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2712 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2348 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2348 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2348 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2348 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 2180 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 2180 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 2180 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1876 wrote to memory of 280 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef8069758,0x7fef8069768,0x7fef8069778

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1320 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2036 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2044 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\hrxdntzkngcyvjfhqumtpf"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\rlcvolklboulfpblhfyvsrhmk"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\cfhgpevfxwmqhdppqqlwdwbdtuwe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1944 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3260 --field-trial-handle=1308,i,16881072598572507852,4190677369836728942,131072 /prefetch:8

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x510

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\khfwabmdnumpzvvdrl.vbs"

Network

Country Destination Domain Proto
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.228:443 www.google.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp

Files

memory/1580-0-0x000000007457E000-0x000000007457F000-memory.dmp

memory/1580-1-0x0000000000080000-0x0000000000174000-memory.dmp

memory/1580-2-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/1580-3-0x0000000001FB0000-0x0000000001FC8000-memory.dmp

memory/1580-4-0x000000007457E000-0x000000007457F000-memory.dmp

memory/1580-5-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/1580-6-0x0000000004EF0000-0x0000000004FB2000-memory.dmp

memory/2900-7-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-21-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-23-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-19-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2900-16-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-15-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-13-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2712-32-0x0000000000AB0000-0x0000000000BA4000-memory.dmp

memory/2900-31-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

MD5 b31e94b9aa3fc572228587333b83ebfe
SHA1 59996644977220b310542daa6163115505aa8c59
SHA256 a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
SHA512 7d5a8f844d0e048af811c26d3e13ecaa674206da041378181d482e6e673da739f7facd98eba545a0ddf73953d57010e678515010e5a96adc00c5858d80c1b6bb

memory/1580-24-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2900-11-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2900-9-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2712-35-0x0000000004DE0000-0x0000000004EA2000-memory.dmp

memory/2348-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2348-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-61-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9ec41ab670a9e1a9b20aca4ca2cd4ed6
SHA1 e1674b2fbc10ee60da52e0782e433cbd8c61e7b3
SHA256 b0dcbd5476a5535e5981640499d452185f7d51dd6af73dd0b5c381f43e1dfc44
SHA512 b0c947e6229bfeae7e29fec8795ed20eff13b9c323560070787cc3736b8a5250341d8c95fa4339f1982d04e93b053bf9990d8e3f9cc3db2e686572f043b63d28

memory/2348-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-67-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-76-0x0000000010000000-0x0000000010034000-memory.dmp

memory/2348-75-0x0000000010000000-0x0000000010034000-memory.dmp

memory/2348-72-0x0000000010000000-0x0000000010034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 14a1885a8bfb7a0afca530da5716376c
SHA1 046bb8c63b0cad5f70ed8ab57f616a0dcfaec87b
SHA256 c2f4e84976095d4df77cee5bd00ee6c203e42c449a1cd357629eabb330a93e1d
SHA512 ce2166a46080c5519b2bb38cf348db282ae3fc12b6d1139bd1b552ab3d7b6942ff825895569e35cd61e2ab1667b8e532ade9e808fb23568ebee9aa313590b6d0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 d94884d4e4f9637e90657e6f11e2a499
SHA1 6df0bd8982ec13d265a2eeb9bb6ec9da72fc05df
SHA256 1ef132b11bfb6377d2dc614646938a126cafc1eb4fc3e1b5a2895566e61e79dc
SHA512 8e8db0ac1f3196b95c7766dfdf52bbf02689fafe66f005a367a331cd167d5824fb37fb73cbf2107e9772b023d4757200ced65924816e811065851ea0646246cb

\??\pipe\crashpad_1876_VCEZWSGEHXHPIACW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

memory/2584-192-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2944-191-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2584-190-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2584-188-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2584-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2944-199-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2664-195-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2664-197-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2944-184-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2664-198-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/2348-270-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2348-271-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hrxdntzkngcyvjfhqumtpf

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 c8a4fa7a63285fa5747ad2dfbe3755cf
SHA1 6c60a22e8f67e95027a73218af3a86fd9bb10136
SHA256 ed4e124878ce67092b45ecd648746acfb23c5bfef380fc19a12acc0eccfc2167
SHA512 731152cd25cfc75804ce99999e58520505cec8c5a1969e44b95affb3fb6f8535a3083201e5b0390815495d94f9a68b77305f6e5cea44e8700b0909b849929a0b

memory/2348-288-0x0000000000490000-0x00000000004A9000-memory.dmp

memory/1244-302-0x0000000000320000-0x000000000032A000-memory.dmp

memory/1244-301-0x0000000000320000-0x000000000032A000-memory.dmp

memory/1244-316-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/1244-315-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/1244-317-0x0000000000A10000-0x0000000000A6C000-memory.dmp

memory/1244-318-0x0000000000A10000-0x0000000000A6C000-memory.dmp

memory/1244-320-0x0000000000A10000-0x0000000000A6C000-memory.dmp

memory/1244-319-0x0000000000A10000-0x0000000000A6C000-memory.dmp

memory/1244-324-0x0000000000320000-0x000000000032A000-memory.dmp

memory/1244-326-0x0000000000550000-0x000000000057A000-memory.dmp

memory/1244-327-0x0000000000550000-0x000000000057A000-memory.dmp

memory/1244-325-0x0000000000320000-0x000000000032A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 f2bd96ca85ca70fae2c9834895e0548d
SHA1 42371bb36058435441002a8b5dea2962f97865e3
SHA256 ab78d3c12ef69943accf9b1e5e1df683763896f3aa763497460c143141a1ba84
SHA512 21b80af5536a22ab9a1ba78f3ebbf978cc58607e3d2b5427fb1b693a94b010db020720bf6ba7e7c2eddec8a590b36e7b239329095c372137f371b3d295c08448

C:\Users\Admin\AppData\Local\Temp\khfwabmdnumpzvvdrl.vbs

MD5 74399a9b0a4d00953173e483cef18815
SHA1 0cba8e841f70a6a4e7797ff2403121bb25c26612
SHA256 6d92b2898cba9b5ccb696b657435483b9bb49f4f375454e761d2c7c8cc32bbca
SHA512 6031454fc82293295fee54f4a46d250d4d63900a78487f49b83d7a6467d259547a1659741c217d63076b71fd837256e61dc24acfd7104426ce316b962c2d971d

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 09:34

Reported

2024-12-02 09:37

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 976 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 1744 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1744 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1744 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 208 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2408 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 2292 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 2292 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2408 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2408 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4664 wrote to memory of 808 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9dd4cc40,0x7ffc9dd4cc4c,0x7ffc9dd4cc58

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\lnbdbmpvbyljkkrxfhqtgmaaeojpwqu"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\ohhw"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykmovxk"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,11653956063761059485,4245738423525053549,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,11653956063761059485,4245738423525053549,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,11653956063761059485,4245738423525053549,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11653956063761059485,4245738423525053549,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,11653956063761059485,4245738423525053549,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,11653956063761059485,4245738423525053549,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc9dc046f8,0x7ffc9dc04708,0x7ffc9dc04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,10558928499524424745,3858619233055396504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mciaqya.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 25.48.138.45.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/976-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/976-1-0x0000000000810000-0x0000000000904000-memory.dmp

memory/976-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/976-3-0x0000000005330000-0x00000000053C2000-memory.dmp

memory/976-4-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/976-5-0x0000000005310000-0x000000000531A000-memory.dmp

memory/976-6-0x00000000055E0000-0x000000000567C000-memory.dmp

memory/976-7-0x00000000057A0000-0x00000000057B8000-memory.dmp

memory/976-8-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/976-9-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/976-10-0x0000000006A70000-0x0000000006B32000-memory.dmp

memory/1744-12-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1744-11-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1744-13-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1744-16-0x0000000000400000-0x000000000047F000-memory.dmp

memory/976-17-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3028-18-0x00000000749DE000-0x00000000749DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

MD5 b31e94b9aa3fc572228587333b83ebfe
SHA1 59996644977220b310542daa6163115505aa8c59
SHA256 a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
SHA512 7d5a8f844d0e048af811c26d3e13ecaa674206da041378181d482e6e673da739f7facd98eba545a0ddf73953d57010e678515010e5a96adc00c5858d80c1b6bb

memory/3028-26-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/1744-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3028-32-0x0000000005770000-0x0000000005D98000-memory.dmp

memory/3028-28-0x0000000002C90000-0x0000000002CC6000-memory.dmp

memory/3028-33-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3028-34-0x0000000005DD0000-0x0000000005DF2000-memory.dmp

memory/3028-41-0x0000000005EE0000-0x0000000005F46000-memory.dmp

memory/3028-40-0x0000000005E70000-0x0000000005ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gn5mb4zi.4sa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3028-46-0x0000000006050000-0x00000000063A4000-memory.dmp

memory/3028-47-0x0000000006540000-0x000000000655E000-memory.dmp

memory/3028-48-0x00000000065F0000-0x000000000663C000-memory.dmp

memory/3028-49-0x0000000006B00000-0x0000000006B32000-memory.dmp

memory/3028-50-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/3028-60-0x0000000006B70000-0x0000000006B8E000-memory.dmp

memory/3028-61-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/3028-62-0x0000000007EB0000-0x000000000852A000-memory.dmp

memory/3028-63-0x0000000007870000-0x000000000788A000-memory.dmp

memory/3028-64-0x00000000078E0000-0x00000000078EA000-memory.dmp

memory/3028-65-0x0000000007AF0000-0x0000000007B86000-memory.dmp

memory/3028-66-0x0000000007A70000-0x0000000007A81000-memory.dmp

memory/3028-67-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

memory/3028-68-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

memory/3028-69-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

memory/3028-70-0x0000000007B90000-0x0000000007B98000-memory.dmp

memory/3028-73-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2408-81-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-83-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-78-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2408-85-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-86-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-87-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-88-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-90-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4236-97-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8da6e944e44267fbb71a45bbe5677b1c
SHA1 0742fec38f4ba7e5f31852fc67d0727d5045abea
SHA256 ea5bbbe29ec849820cc6d577e02116d7de24b4a59be7c441bdff7a5a2ee053b2
SHA512 35c513c0112dc514d9716614507340dbc47f8ccc333ad4b43e4477b7ffd32e610163b4f613adc18bc0b53f8140c2821654cb672e92bfd2e6d5b8ce187a794979

memory/2408-103-0x0000000010000000-0x0000000010034000-memory.dmp

memory/2408-113-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4236-111-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/2408-107-0x0000000010000000-0x0000000010034000-memory.dmp

memory/2408-106-0x0000000010000000-0x0000000010034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 4dc59c568b7c4a955a41ea784655a11b
SHA1 655c0b470cfac864bcd52f12eecc7e2a348c50c3
SHA256 17b686d089381647efd93166c5e7e2d3244ba8b6281cb8f7d587cb2f06d66202
SHA512 14f26ffd6498a3576f4de9f30e84c1884a1f65f63e424cfb54d53dacc0483064e808fa3d69931a1b2bbc7fa39cf96c36eda46e1c3f5dbe9c0dc7cc623c81caf5

memory/1340-121-0x0000000000400000-0x0000000000462000-memory.dmp

memory/932-128-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-127-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2004-126-0x0000000000400000-0x0000000000424000-memory.dmp

memory/932-125-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-123-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1340-122-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1340-119-0x0000000000400000-0x0000000000462000-memory.dmp

memory/932-116-0x0000000000400000-0x0000000000478000-memory.dmp

\??\pipe\crashpad_4664_NXCBFIJWANEFPIBZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 17141355c3716c4dbbdf5d4e61c3a8ef
SHA1 8f90ca8eb5296ff1564d8dc6b6a693e977d998d4
SHA256 86410035eef0cfc78737f7b84a8d287dbca5667aadeabf2e2f9d65c82b7bb604
SHA512 eae25322290fc6325dce38f841cbf86ec7beba242111d8317c1748ea363007451b78fcaff5b7682043e0c751c58d60378ee5a604db2821a465a3b56d788a4cd6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 e2f6740589a4b570eae3bde32ad6e60e
SHA1 f480cb3fe10ff7338916edbea9ed63bd01175122
SHA256 56cf9ec20fd3892b742bf6518f974734d753e9fd5157b33199d8b82c8a09c318
SHA512 4148c0ab36f82aa31d3343eeae7c16e7c66b948aa0124efa207b76ae067b33c8b4495faa25f6f2241408bc400f45e86b3c33ec0d2c5323065b320747565ac42e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4236-165-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/4236-175-0x0000000007000000-0x00000000070A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/2408-222-0x0000000003200000-0x0000000003219000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

memory/2408-236-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-245-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

memory/2408-221-0x0000000003200000-0x0000000003219000-memory.dmp

memory/2408-218-0x0000000003200000-0x0000000003219000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lnbdbmpvbyljkkrxfhqtgmaaeojpwqu

MD5 16dfb23eaa7972c59c36fcbc0946093b
SHA1 1e9e3ff83a05131575f67e202d352709205f20f8
SHA256 36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c
SHA512 a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

memory/2408-246-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4236-254-0x0000000007360000-0x0000000007371000-memory.dmp

memory/4236-257-0x00000000073B0000-0x00000000073C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 8631eeb1a818c2523a3429ebf42ea036
SHA1 dfb9261d70a916b990ccd361a9efdb169f1c6dbd
SHA256 a5593b27ca28b4f349b6baf80f9807a0181afb55ee41cbf8e1f9b5d8fbb65593
SHA512 d2e98919c1d7130df01dcf9a56213f88f310c8a6dd105eb8e45622f772bc99371ac78edb947b279fca1e06ed60c0a38bb9aba84f1b6cf8be33887928512178f3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 0ab1140ec3873566aa70a8dc730a8d5d
SHA1 01f779041905b5a7d0f9dddeb058ba52c683a737
SHA256 10944f6f17e3c9282516d5223a7f128d6e94f9a2585646666b36661a9e5c8b40
SHA512 4f2e33b8d8e0b69a935e0ca3a0137382c8e4672c54a3faf1f8c847535ca4ff51a1a3979ebe0ee3aff119c3ae6aa24066790b4d292014977ee719728b9eb0b298

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 885f961d44b8e010fbcd844cefa85863
SHA1 a0a052c93bd8020a80aa577a9a4c1c845cd86ccf
SHA256 fb2710074eadd7772625c8f54e7a3a3d818acd55961ea8f20493e766c7a615b3
SHA512 8650064bab40e297508d1c9e5ffdfc1e03ba50059dcc4ba9b72511e97d2dce65e3e97e0fd3d9a6db2f61df2587873f90498117a6e36b0946ff1d7e78bca09144

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 1e3f831404cd7387d4ae7aff9b6c5f41
SHA1 89126b07ef77160bf6c6933362df10903341496f
SHA256 a69057e68bd27a7a8656812a28d8c6c2de4f3c246d8d8d6371adbecf0c7f57a8
SHA512 99a3e9ea13bc0bc987fe3aa43bb685a7215c854224e854dda188fa980d82655145b64e422aa9c0329d85c2f34ab3d5dc8f1d7718155c130c23e81a0239e6101e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 22437a05e19ccbb92b45e2a512b289a1
SHA1 abdcbf5b4856880c209402ff47c51b3290c239e0
SHA256 136f63f63e5330a4a101108d788f4db748a73e5e092f289f0789fc9c70a46e1f
SHA512 cd504f634ded6e6e5b74656e7c7c1fbadcac991beed4ac1334d3dfa1acb1db73dbc415fe1f853c4ef2e8bb3b6321d80b6e623bb4014d4439f4c08096be2fd680

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 fb9b644175d9cb9412afa02e5162aa36
SHA1 549e99099f845f414e650dc71c41a2165b29f64a
SHA256 ef5bacdc32263d63240194ea3cdf60c69dffb9544e0d59730d35fcf5d89fd6d8
SHA512 b021b24fac3cba795ea5165108a79853a9f2b1c3ba78359c4f251e3b1953fc6b1ab753658c2bc8d11dfcb2dd5b696d89240e8c99fd41a5146615c8553f8905f2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 5386b112fa0b22a45f72028ce295ee8b
SHA1 d3d2e5eed63f1a936bef8f91fd5cd7d428d97152
SHA256 292c54382483f19e3d6b68359299d9fb2a328d4545085dd1d0fe01fddb48eeba
SHA512 3f1fb663e1e7c04dc417f0c65db6de30acc3706f1a45c640fde8e64978db7a0229ed624f07914b6e25ced7a5a44145243036c4949a5f367e66969bf70d909819

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 90f67d89e7a6960845409a49a651e5e8
SHA1 994519725b49cbd381ef7c5a0b2d234b8d0b8728
SHA256 aa428325a9dff5fdf40ed48f34d185c250f3ea837a95c4473fec9394b143f989
SHA512 ee4549da055472c06a3e548b5fdb9153986c7130eb8baec4817d32752d58d3c1984c72899a1ba15e9eb9d518bfc04d66aae3a3cda41a498c260d88d5d69e75a0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 3a9636a6945fa429c5ad9057bb4947bf
SHA1 29d3271838842f45891ba55b15168c077531c994
SHA256 4f5f977c2f506ea233a9a2180f1605e8458b0d4ffadafd904c1d9a9ee1016fc8
SHA512 5d0949a07275fb7f1b21a7c68e0adf4f7ad741f82c8e5c3270515ebaee452bb5d141e29508427877da5ce1b7b4843b9296bda7f24c6ae91f34388b602db9560c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 9d3e93c103c52dc380014a6367ce5a86
SHA1 d937cab5809ca66cc968b3e84f9f17b0708e1f45
SHA256 91ec9b52da9781560d6d449411a549cd3336ba728132ee51ced7cca30d9cd0be
SHA512 03acd8a9f38d3aac5d3713f24209cc885ad3404dd2ca0e15500f96d7dba30b24f4d99a9cf8ed457a7439ca619106ed45cda477d17153cb4beb854e660e75c842

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 4f6f107d990389ab6a667c88615b2913
SHA1 82c90905d32d2a24d470609f2068add6b96855fd
SHA256 b25cd13b698d60bd5df7da500d2e4381a9e7abb8915889970c6b91c8f6a69558
SHA512 4fb013fb583f427afe272635c7d309cfbccfabe1a94a7d3cc930957794e6532e4085a7053d7b70c12730aef0b916938db407efde34b24e24278bfb950c5cf4a5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 b77cb3ffe143d1ba4d4f3e9bd8f25a5e
SHA1 2adfd661b34493993f1fe2c7d4d6bfff53cd20cf
SHA256 650a282c112e11d690ee9f5d3f36041cc3f361ed1addf21c83bc7bdefc1374a5
SHA512 a382e20253a482cd6340403c6aa798682c14184b1b7cde2fdbb4aaf7aa65ef6207b87e3cc8d71f9c91c03fb3520731763494bc8bf511d37f325ab3b387057349

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 56fe5e312c2ea8b543291791b3137180
SHA1 6cdd3d535b3c922418c00bfff7ac86a71321bfeb
SHA256 6e09284f2800c24f1e13222353ae3a6232222aac7360b1042d275450fb7529d2
SHA512 2bb9a1f8e29fbffa4adc41143242cf4ab9868d7bc7d155ee446e2a3f03c3d2c3bc2f9479e5f47bb14fc3f8fd56fb24713ecf37b2cf386244b3503a547571077f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 0aa8fcc323b446f7b3374bb992ee9ca7
SHA1 2f39b33ce8de92ad7612e4fd0fd64d55d1fbcadf
SHA256 05c0b342366fbb68a39a659deff99451dc9388fa4deae792c73bf34b3d104a04
SHA512 9da490743dcf19563406e9e903c93302676e37a080fa9316dfb171f7063377bd66541e080844bc282af3e8ea5d94f102e35a11db94aaf1bc3af25406b8dabac9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 4670e4b32d9d198a8057f1b9e25dcc6e
SHA1 138b7190d55d2ddb3af593dcbac9593dd04c5211
SHA256 caf0144cde36d99aa92c226fb4cbd8b03ff186c632988091e0d2a1656aeaf433
SHA512 c28009708c56fb464801c8a39580e61150a256ce74fabdf10d25bf0daa00a9fe83d2224912208ed62e487686f2076edd0cb8b16117db223fbb027f55044ef348

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\437979f7-00f9-4cd5-ae5d-32c2eec453f9.tmp

MD5 0344f8dfde22bb6de25aeed9e9dc8b9b
SHA1 73af6d57edd944a94fca4d8fccc3e25d7c4ac2eb
SHA256 8ed0357e30b40835885ae280b7bd38a12aa74ab3ef38ae0bc45c359fa89dde05
SHA512 d5eacde3be8e88050ff49ab3e5e7907b1b64ad73615f1a5fddc1ca2c2ff26d9331bf4df097d6bc76e963ae86eff79da7123d1154d96fe2f95f1d3d038878539a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 0523df733048b192febd58af0523b028
SHA1 47c5b22cd7c8134537cc7426e47d7aeb8c1c903b
SHA256 b50607a455511570f151cdbb8b931a1613cb5eaebb6833e6740d877e10549a07
SHA512 4bd428c58a3f85e8ec8e53d69f0f4b1f0bbd3a38dbdffed9c9330f0b6dc63f458158f56434644e8517198af2af44fadcb77b21fdd682a75a08fab81e4ed9657e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 669ae8880acc8c1e8d44bc9d0b207a77
SHA1 723589d35bcdd53c0448f01c774cabddb117fa4e
SHA256 932b8378c8ac6a85fc21a631811f11e29d0fcd56b942f4f4dcfb06222ad28e9a
SHA512 53e81dafcf76991248c014866ff1c31dc7f90fb2989c4f5359fe1ea388d69388eb6b6d7e79ffe310bc94e391aea2a9b6d312c0dc6c5e45e13ce27a554374b84f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 e1d1a4c5cc98410f8de6c54ffe453e20
SHA1 4d81dfa15741f242b6bed90903ef7695fa14ce88
SHA256 0aae2d7929085dc3afc4dd06b9865c535b0c6ddc0317c7e5eef9406a8b6c0f44
SHA512 7d2fc4eb9aab5c8ca5bb1ba38bfb72b3951aec4e446c553f032b589cf95390c78e49bd9f9e4056efb6ccc95ccea4eb1d22d55f44d873fec28b77934856063b64

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 62fe5eb49da48ed9a718ddd190f15819
SHA1 dea60e8009f528384dca8ea6e6c043d07e0dd8fd
SHA256 e9acbd37c085266243ef8e55de5ec09b3427b74ee3f45d55e6ee33873890583d
SHA512 d5bad323906001c311a3c808878b81ed27d43b1f6b53b6d412422a537db9c3725405e5a886e89168724a80ff9e69d4f62f51a2d5599cf63289fe6f5a087e0d39

memory/2408-397-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-398-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-399-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-400-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-401-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-402-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-404-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2408-409-0x0000000000400000-0x000000000047F000-memory.dmp