Malware Analysis Report

2025-01-02 13:35

Sample ID 241202-lp8xyazlet
Target a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
SHA256 a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
Tags
hawkeye remcos document collection credential_access discovery execution keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3

Threat Level: Known bad

The file a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3 was found to be: Known bad.

Malicious Activity Summary

hawkeye remcos document collection credential_access discovery execution keylogger persistence rat spyware stealer trojan

Remcos family

Remcos

Hawkeye family

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 09:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 09:43

Reported

2024-12-02 09:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 2884 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1680 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1680 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1680 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2896 wrote to memory of 2832 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2896 wrote to memory of 2832 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2896 wrote to memory of 2832 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 1680 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef74f9758,0x7fef74f9768,0x7fef74f9778

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\hanmpnug"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\scafqffiyps"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\cwfxryqbmykcdvr"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2064 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2096 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2944 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1304 --field-trial-handle=1276,i,7575521147882516518,17897421610791910992,131072 /prefetch:8

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nhfkistcmxpmxuqqgwbwjvrbby.vbs"

Network

Country Destination Domain Proto
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
GB 172.217.16.228:443 www.google.com udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/2404-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/2404-1-0x0000000001100000-0x00000000011F4000-memory.dmp

memory/2404-2-0x0000000074A70000-0x000000007515E000-memory.dmp

memory/2404-3-0x0000000000450000-0x0000000000468000-memory.dmp

memory/2404-4-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/2404-5-0x0000000074A70000-0x000000007515E000-memory.dmp

memory/2404-6-0x0000000005180000-0x0000000005242000-memory.dmp

memory/2316-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-18-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2316-15-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-13-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-11-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-9-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-8-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2316-7-0x0000000000400000-0x000000000047F000-memory.dmp

\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

MD5 b31e94b9aa3fc572228587333b83ebfe
SHA1 59996644977220b310542daa6163115505aa8c59
SHA256 a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
SHA512 7d5a8f844d0e048af811c26d3e13ecaa674206da041378181d482e6e673da739f7facd98eba545a0ddf73953d57010e678515010e5a96adc00c5858d80c1b6bb

memory/2404-28-0x0000000074A70000-0x000000007515E000-memory.dmp

memory/2884-31-0x00000000010F0000-0x00000000011E4000-memory.dmp

memory/1680-53-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 161f5f77ab0def703f66df69edb7838b
SHA1 052d3f335f5970bb201fd5f7bf3b77a372be055a
SHA256 73099c82d22d47b96d4b93a3e2d9142beb8edd3b4636985dcfed549880268285
SHA512 a12141e0f7d372856ebf4bf964a0f71dd9d9663acd32c8b9ea9d42bd85895b128021f3e805cc8d683036fa3c02e9a4671d71820e3a04cfc9364ca359326a986d

memory/1680-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1680-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1680-70-0x0000000010000000-0x0000000010034000-memory.dmp

memory/1680-69-0x0000000010000000-0x0000000010034000-memory.dmp

memory/1680-66-0x0000000010000000-0x0000000010034000-memory.dmp

memory/2488-82-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1680-93-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 2f67c79e7fb39432c2d54e7070aa01af
SHA1 60b21bf086d4c4e23c9ba7aa9011bb0eb52f01cc
SHA256 2cc4661fb8bd8dda73feff25fe4bf2d8490e504948b310b54c6d7a35b5e90111
SHA512 14bc6d21120e9eba305bcabe8aaf778f22eb52b83638ac04353dfef70109fc51436d90bb64c350bceb223a076e8d920019477735c84df7b182653972ce05e79a

memory/3028-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3028-97-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3028-96-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2232-95-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3028-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2232-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2488-85-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2232-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 4de53fd1ecb25e50d1cd818780bd1a23
SHA1 e8c23580de1ffa9bf9771c26e408b99c872b3e76
SHA256 b2fc4d9dfb2130583cbd74c438a526223adad36c356941ff6bdf4d9bc127a78f
SHA512 b211436e40698f602bdb5bc0b445118efc8ebe8aa0546e03244c6c9d98a6f4132b88610f5fdc1f8a73ab81b534172e873d69c0ad8aebb2a15cacaad88b8cfc2e

\??\pipe\crashpad_2896_LUSTRRXZAOLTZYLG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\hanmpnug

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000002

MD5 22bf0e81636b1b45051b138f48b3d148
SHA1 56755d203579ab356e5620ce7e85519ad69d614a
SHA256 e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512 a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 1ac4239b492d107dd3669ace8add3c4e
SHA1 31736a9786c3b6b2e3d55ec72871da90352878e1
SHA256 8ba12e9fe6b245d5c65777f71caf29021ea48d425a7ef94deaf9a07a85d827da
SHA512 27f7a07303f9a5ea762a77efac2a11ba977206af3169864f4a9f72a3fdcbb579c03965cd7f1053da3b8065d66bf88ef160db42de644158659c6523433bc1dced

C:\Users\Admin\AppData\Local\Temp\TmpUserData\475c4be8-af54-4298-b86e-370809f80162.tmp

MD5 6022c8f103ccbf2940639c0e1d477918
SHA1 e43ed272d75811a44d11907fd88ea7917918e6ca
SHA256 917ba2a59ee0b18cdc923f9cfd9ffbe236adfad736b8a8288ed55df034d4e5ca
SHA512 266f8de1b695340eaa84fbc97f161da45c609f4dc2a87bac2248c1bb981eee642b0b1f400876aac442b8a7e5f8df398dc22ac5239a56ac36e6cf54f774a120df

memory/1680-348-0x0000000000970000-0x0000000000989000-memory.dmp

memory/1680-347-0x0000000000970000-0x0000000000989000-memory.dmp

memory/1680-344-0x0000000000970000-0x0000000000989000-memory.dmp

memory/1880-360-0x0000000000430000-0x000000000043A000-memory.dmp

memory/1880-371-0x0000000000490000-0x000000000049A000-memory.dmp

memory/1880-373-0x00000000005D0000-0x000000000062C000-memory.dmp

memory/1880-372-0x00000000005D0000-0x000000000062C000-memory.dmp

memory/1880-374-0x00000000005D0000-0x000000000062C000-memory.dmp

memory/1880-381-0x00000000005D0000-0x00000000005FA000-memory.dmp

memory/1880-380-0x0000000000490000-0x000000000049A000-memory.dmp

memory/1880-379-0x0000000000430000-0x000000000043A000-memory.dmp

memory/1880-378-0x00000000005D0000-0x00000000005FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 4db07fe33ca4bdd6d4248184d7b0d552
SHA1 920933b19eb7479212b9ab947ed96f616d408183
SHA256 8b3c8c3230b4d52f11b0aac79d10071dca8a1e237b0a474e87c1c2b490d2368e
SHA512 3b585babff5529177a814d5b3da0f95f7eb0ec62cd361fd368125aea962aeb28f5433ee0fa54d3f8f8a36ab49b0f21c469358d6fa8cf0323a69ca81f8f035c00

C:\Users\Admin\AppData\Local\Temp\nhfkistcmxpmxuqqgwbwjvrbby.vbs

MD5 74399a9b0a4d00953173e483cef18815
SHA1 0cba8e841f70a6a4e7797ff2403121bb25c26612
SHA256 6d92b2898cba9b5ccb696b657435483b9bb49f4f375454e761d2c7c8cc32bbca
SHA512 6031454fc82293295fee54f4a46d250d4d63900a78487f49b83d7a6467d259547a1659741c217d63076b71fd837256e61dc24acfd7104426ce316b962c2d971d

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 09:43

Reported

2024-12-02 09:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{44970FCD-BC96-4EB1-B80A-843B90AA9EE7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{090517AA-E37E-4BE6-81CE-381EEB35BA0E} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3724 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3724 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 3724 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe
PID 4420 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4420 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4420 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4712 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4356 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 3440 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 3440 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4356 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4356 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4732 wrote to memory of 4344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe

"C:\Users\Admin\AppData\Local\Temp\a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8e8dcc40,0x7ffd8e8dcc4c,0x7ffd8e8dcc58

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\prjwzcp"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\alxgavazxr"

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\knczbnlslzhmqd"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,15930913074198093216,13499231459140243350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,15930913074198093216,13499231459140243350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,15930913074198093216,13499231459140243350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,15930913074198093216,13499231459140243350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,15930913074198093216,13499231459140243350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4616,i,15930913074198093216,13499231459140243350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\enbfaiwukcfhbtd.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 25.48.138.45.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
DE 45.138.48.25:3333 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3724-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

memory/3724-1-0x00000000002E0000-0x00000000003D4000-memory.dmp

memory/3724-2-0x0000000005330000-0x00000000058D4000-memory.dmp

memory/3724-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/3724-5-0x0000000074E90000-0x0000000075640000-memory.dmp

memory/3724-4-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

memory/3724-6-0x00000000050C0000-0x000000000515C000-memory.dmp

memory/3724-7-0x0000000005280000-0x0000000005298000-memory.dmp

memory/3724-8-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

memory/3724-9-0x0000000074E90000-0x0000000075640000-memory.dmp

memory/3724-10-0x0000000006550000-0x0000000006612000-memory.dmp

memory/4420-12-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4420-13-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4420-16-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4420-11-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3724-17-0x0000000074E90000-0x0000000075640000-memory.dmp

memory/3292-19-0x0000000002B00000-0x0000000002B36000-memory.dmp

memory/3292-18-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

memory/3292-27-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3292-29-0x00000000054E0000-0x0000000005B08000-memory.dmp

memory/4420-31-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

MD5 b31e94b9aa3fc572228587333b83ebfe
SHA1 59996644977220b310542daa6163115505aa8c59
SHA256 a1a334aa5fd2ba1b468b2fac316ffd7ffbf5708dfa85f966689fe43bc18602e3
SHA512 7d5a8f844d0e048af811c26d3e13ecaa674206da041378181d482e6e673da739f7facd98eba545a0ddf73953d57010e678515010e5a96adc00c5858d80c1b6bb

memory/3292-32-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3292-34-0x0000000005B90000-0x0000000005BB2000-memory.dmp

memory/3292-35-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/3292-36-0x0000000005DA0000-0x0000000005E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_po41bjry.gpl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3292-46-0x0000000005E10000-0x0000000006164000-memory.dmp

memory/3292-47-0x00000000063D0000-0x00000000063EE000-memory.dmp

memory/3292-48-0x0000000006420000-0x000000000646C000-memory.dmp

memory/3292-60-0x00000000073D0000-0x00000000073EE000-memory.dmp

memory/3292-61-0x00000000073F0000-0x0000000007493000-memory.dmp

memory/3292-50-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/3292-49-0x00000000069B0000-0x00000000069E2000-memory.dmp

memory/3292-62-0x0000000007D60000-0x00000000083DA000-memory.dmp

memory/3292-63-0x0000000007720000-0x000000000773A000-memory.dmp

memory/3292-64-0x0000000007790000-0x000000000779A000-memory.dmp

memory/3292-65-0x00000000079A0000-0x0000000007A36000-memory.dmp

memory/3292-66-0x0000000007920000-0x0000000007931000-memory.dmp

memory/3292-67-0x0000000007950000-0x000000000795E000-memory.dmp

memory/3292-69-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/3292-70-0x0000000007A40000-0x0000000007A48000-memory.dmp

memory/3292-68-0x0000000007960000-0x0000000007974000-memory.dmp

memory/3292-73-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4356-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-83-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-82-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-84-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-85-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-86-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-87-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-88-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-90-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-94-0x0000000010000000-0x0000000010034000-memory.dmp

memory/4356-95-0x0000000010000000-0x0000000010034000-memory.dmp

memory/4356-91-0x0000000010000000-0x0000000010034000-memory.dmp

memory/3928-101-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 ccfc0a00a81abc5e4640160307b49ed6
SHA1 25ad74d6933ab9e7b0d60e8d7ce43b3cf340c1f8
SHA256 bd7d81f5385bef0a01701e445c953ff3e94debf9e226f14877313dd29a2ad3da
SHA512 c286685d76f297b92d3d33d67acc0226db274136e0508d774308f07c9bb4b3d9982b7cdb09608c91a1addbb9e03ad8d35004f8691df5de9e17be70635a70f5eb

memory/592-116-0x0000000000400000-0x0000000000424000-memory.dmp

memory/592-115-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4356-118-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3928-108-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2376-107-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2376-105-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2376-103-0x0000000000400000-0x0000000000462000-memory.dmp

memory/592-110-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3928-106-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 3500c39cafef8c42e21c0eed0068acf0
SHA1 4acab10148c3cd8644497fb1e2671609db926832
SHA256 9b3cd3d94f1d2f873464301319e4dca3d34f7c549b3cd9ab868470202d1574d5
SHA512 a7b49f1755b5161a693d7ff4413469b684043ea236d225698838713bdb20b0fe8fc557c2500e1b7d0fde02bf945d356a636a2c0fff7097acf50246abec32f092

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 066a537b995fe292f153bf37fa7386f2
SHA1 c63888164ad71f8b619d22bffb3348d7d4f386ee
SHA256 4c0eb0dbe16a4ed706ca649c8e220fda74472fd5275cdbd2fab2bcf17eb34a89
SHA512 3c68949672b34ef560518721e034883758ac2248bbb1fcd390477494cb4b319d709a8bcad1376428f8d96736c3406677a10512eb59ec804f8ee0970fe3780c08

memory/4356-143-0x0000000000400000-0x000000000047F000-memory.dmp

\??\pipe\crashpad_4732_KAMADMGKYZPJUYFD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4356-146-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4356-154-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-157-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-172-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-183-0x0000000005DD0000-0x0000000005DE9000-memory.dmp

memory/4356-179-0x0000000005DD0000-0x0000000005DE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\prjwzcp

MD5 79f35c7500a5cc739c1974804710441f
SHA1 24fdf1fa45049fc1a83925c45357bc3058bad060
SHA256 897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4
SHA512 03281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e

memory/4356-184-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4356-182-0x0000000005DD0000-0x0000000005DE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/912-248-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-249-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-247-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-254-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-259-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-258-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-257-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-256-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-255-0x0000000002630000-0x0000000002631000-memory.dmp

memory/912-253-0x0000000002630000-0x0000000002631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 f7a599fd2c3f19ef038e0b136169c783
SHA1 f8f21cd79f96ff8728aa801e899859f622e87c53
SHA256 6cdc2b412518025867eb07c0e9139e3a000f1d88920a87f32af581831b45f096
SHA512 22f5a6f7244354243a52d0cfc6a680fb3a7d392694d32089a41200bb0c24c4952e1acb67590bc319ad4be5513b394dac383dfb4b267a723dd642da82e1f6d33e

C:\Users\Admin\AppData\Local\Temp\enbfaiwukcfhbtd.vbs

MD5 74399a9b0a4d00953173e483cef18815
SHA1 0cba8e841f70a6a4e7797ff2403121bb25c26612
SHA256 6d92b2898cba9b5ccb696b657435483b9bb49f4f375454e761d2c7c8cc32bbca
SHA512 6031454fc82293295fee54f4a46d250d4d63900a78487f49b83d7a6467d259547a1659741c217d63076b71fd837256e61dc24acfd7104426ce316b962c2d971d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 9a30f7d3f4c08801c041711c56907e5a
SHA1 1ff1f6cb8ba8c4fab287a02fa04719556865f920
SHA256 521b5e17b93aaa46c35011e31bfc25e2d8d26babaa1064c377793b9d93d6b6e5
SHA512 5cd521e155c20cb6f43be79a214878d682e17d2e11f2a18d3b6b77d818af3b29b8f8133d4e51f410018bcf729f2d55ce84e561b1b08cce874d343200723212cd

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 31fefe4021ad3351fd864efa78f15c43
SHA1 c5ae7733ba6e72ee104937c605bdd659ac4d6311
SHA256 0706c000b13983f371622c03f0c3c9e40115739caa7331ddc2c07e0457fa9ec9
SHA512 e6392c6f744a10a44fe825e10adb2dbbdac951ec3c17cb4b4cd91aa6f40cf04517a08b5e7fcdfea97dd985f8b13c189260c3714c269d9ae8935f90ceb5bddaa0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences~RFe5844f3.TMP

MD5 a862864d10313a857f7f781ce1257f8d
SHA1 4ff234d2f84c5cc7f55ab4f88dfc4674a243351d
SHA256 3e2648a231880f6dbd989f6f17cb739d833ba2563ce85869873d29e568cb8ba2
SHA512 f7c8e1df09230c9d6cbbd8fe007bf458b0e13bbe8d7f7785a8f006bbd00aacdf253640e15be34ec2e35b2a7a649b9e440db0c70e2871db9cde7759974fb7235d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 c32b0404d793d286be948a96b0eed2e0
SHA1 839f5e5e1b17fb8dabaf36b227795bd98bf95236
SHA256 2776be61f7010e203994ad241f62c847c124fef80be9137568cb07cee5350b2a
SHA512 bfb68c248806a908463009242b2c5c4ac539b04f59e9f3581c45c94356b11cf935e96a59548107a32d0412eb54dc0d8757640f4e0f9d9ac53e856363dfa10c26

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 6aa9a1e0aa8d852299285a1964f6b792
SHA1 9cc6e6a10e81276e748213641ca0d860e7b3095d
SHA256 849d537e97e47d7cd070c9e78f8eb6638cb7e0c75c7103cb9027691636077c4e
SHA512 64be68c3c24e5e47d0073c310cb92d2f778073fdef5c98e7c9ce28ed93aba3918ed957ef7258a3eaeba5bbbcb64d3dd4e3212cfd8320f41d2b9b75eec371f559

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 9748c8b9a5b63a68e1c22f80c8c984e0
SHA1 b1d62541e230a2314a39ade6a5eb40faf68ac51c
SHA256 fca8983c492d35081e0c866debcd9e00be3d76a010fc49e90c81402ea23f5229
SHA512 80c186de514c2dce2ef0aeccfce01e4f8c656bd77e3c94e56f4ffaf99d3350c74f8eb0d197485cd98fde92856722285665c806880efb37171f91aa838025b89f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 27aac866aae491aa89a5ab9132919c62
SHA1 554fdcf54f2e31c858c49585e8d9c436ba17a307
SHA256 8a079893d7397aa7030e65147a37c0b43e3dbbda722ba6b8167fc61796454821
SHA512 7fe6670a000e54ea137486c28d1987893da180a3382daa837e8f988120602a5ad584ce26f66727480f4ca305167a62fe5f524dd8db3e2be4fa6ee044dbcbc4c0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 107b6aa4e373c45023eba98f184e2e2a
SHA1 0ef56468d84c04bcfea2a7621801fb2e2d936bb8
SHA256 687af32b7f2784f8ab5ed3c474e1fa0cc6aa3218b9ce2865abae88ec7889d3d8
SHA512 de5246f8e6b42694c73aa42deb995f8a191990608cdfafec51de623ca5f502e038f37d2697244baca29ed4e4195900d30b6c191743a74ad0cb3177690f75f8c4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 46c87eeacffba217fee7f1604985fc5f
SHA1 f246e933de83508ebdf74db63955cdbd7c2d6f51
SHA256 7165ba9a208f660d9fc4a2d95c7b1d14fcf775dcc55a4a44331af00dba932d50
SHA512 5ebdde08f498bbf01dd95a705f4172be45413c0d8edee94d9bd4d7a3c187e8b9da9343e62851637d2a69d99c39e218d2e517aa9b5f9f44d8c1a0d7dbf4d5e4e5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State

MD5 d46d5053c9275a36b498505f29eb64ab
SHA1 8613fb601e2742a8f9e6c5202c9050a0d62a6968
SHA256 60bd1eb9ab508bc4a5c5267ecaf81a39c1ab0374faa410d4e954aff2e97cab50
SHA512 640a2db442490ab2d58dd31ce5ca7952688bbd8adc267b62c92b0645a0d8559ee8f23f6a5243827e6f29d24178df2d28db14825aad7db15c6c45f089807b8bee

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State~RFe593723.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 d3111e2e7464bfc7bcd6b70a56ee8bb5
SHA1 d3f0684264679efe28a064e070e60b940a158047
SHA256 616f38fe70ede57816ffb6d8dd2cbdc59aa32a262b981e50b5dca86e7651a444
SHA512 fe1294ac8b5481de91bf725c8b856279ce1e3bb93a75c45fee020c20e8243910f023481d0d2436cfc9ef3cad8f36f0fa0f62a51ef0d726dc74dd9c1555ca3639

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 29fc325c62def534490b77cec297b371
SHA1 746056b7b82ee28391a64ac667bbead382c252f6
SHA256 7ccdc9e87f7295a92468bf3875dc3f7c2b62ba3e311b50ae3169634050def4fa
SHA512 0c9bc1d1bda5514d0280d593f08b41a9db285bcd17663a3ed0eaa428a4e0a06b2b75a4c281000724e05afaf167b0f34b7dec068fb98c6ac2c8aa4b2f6d1c6436