Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-bjg7xsbhh3
Target 2cacce0bad26aa9301f32a1a7e2dda39.bin
SHA256 e0c865ff45d59a420dec26b15079c7304f1a2dd1c46a1887cde88a9f7036e491
Tags
amadey trojan glupteba redline risepro xmrig zgrat livetraffic discovery dropper evasion infostealer loader miner persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0c865ff45d59a420dec26b15079c7304f1a2dd1c46a1887cde88a9f7036e491

Threat Level: Known bad

The file 2cacce0bad26aa9301f32a1a7e2dda39.bin was found to be: Known bad.

Malicious Activity Summary

amadey trojan glupteba redline risepro xmrig zgrat livetraffic discovery dropper evasion infostealer loader miner persistence rat spyware stealer upx

Glupteba

RedLine

RedLine payload

RisePro

Detect ZGRat V1

xmrig

ZGRat

Amadey

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Creates new service(s)

Blocklisted process makes network request

Modifies Installed Components in the registry

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Executes dropped EXE

UPX packed file

.NET Reactor proctector

Reads data files stored by FTP clients

Identifies Wine through registry keys

Reads local data of messenger clients

Enumerates connected drives

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 01:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 01:10

Reported

2024-02-06 01:16

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe"

Signatures

Amadey

trojan amadey

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe

"C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe"

Network

N/A

Files

memory/1936-0-0x0000000000A50000-0x0000000001476000-memory.dmp

memory/1936-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1936-2-0x0000000077990000-0x0000000077991000-memory.dmp

memory/1936-4-0x0000000000450000-0x0000000000451000-memory.dmp

memory/1936-8-0x0000000000A50000-0x0000000001476000-memory.dmp

memory/1936-9-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 01:10

Reported

2024-02-06 01:16

Platform

win10v2004-20231215-en

Max time kernel

102s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9bw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u9bw.1.exe N/A
N/A N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dota.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000032001\\dota.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plaza.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000052001\\plaza.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000031001\\fu.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u9bw.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u9bw.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{E6CDE037-AD80-4C9D-9795-058573B52CD7} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{E62DF446-8155-4572-B673-9BA4DDB81297} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{1E27A5BF-2E86-40D4-9B17-EAEC23F9B7C0} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{916FEA61-B665-476B-B2F7-18A18DF016B3} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\MuiCache N/A N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe
PID 4848 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe
PID 4848 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe
PID 4848 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 4848 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 4848 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 4388 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 696 wrote to memory of 2944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 696 wrote to memory of 2944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2544 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2544 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 532 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 532 wrote to memory of 1340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3576 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3576 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4884 wrote to memory of 2880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4884 wrote to memory of 2880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3924 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3924 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4388 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4388 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4876 wrote to memory of 1344 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4876 wrote to memory of 1344 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4388 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4388 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4304 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4304 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4388 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4388 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3652 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3652 wrote to memory of 1872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4388 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4388 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3896 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4388 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4388 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe

"C:\Users\Admin\AppData\Local\Temp\8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x44,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

"C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,15196900222394646857,10940397922874467376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.0.990777625\1723015582" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8e3fa3-b255-4a8d-aac4-e552d819071a} 752 "\\.\pipe\gecko-crash-server-pipe.752" 1880 21312ed9858 gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3922059631128295844,13932581981906779185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,16568115301585431629,3794651233285745249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,13188007640478208473,8053368547424540166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1452,13188007640478208473,8053368547424540166,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.2.1272959198\1206773880" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 3008 -prefsLen 21603 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdd7ada4-deea-4f86-a50c-ea32ff191380} 752 "\\.\pipe\gecko-crash-server-pipe.752" 2772 21312e60358 tab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.1.1508253757\2362257" -parentBuildID 20221007134813 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a94ada-804e-4716-95ae-93847155de23} 752 "\\.\pipe\gecko-crash-server-pipe.752" 2344 21306adc158 socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4748589652052314744,3883081231830459312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4748589652052314744,3883081231830459312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3968 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=2000,i,14635961757500404395,18247210851870417770,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=2000,i,14635961757500404395,18247210851870417770,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4804 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1720,i,13777540849436488451,16945454491079801568,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4960 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.3.897550896\219118711" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c342f443-a47c-4f4c-aae5-702c1d8488f5} 752 "\\.\pipe\gecko-crash-server-pipe.752" 3296 2131674eb58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xc4,0x10c,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.5.907658453\1727749391" -childID 4 -isForBrowser -prefsHandle 3580 -prefMapHandle 3584 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dac3111b-663f-40c1-9641-e698b962b7c9} 752 "\\.\pipe\gecko-crash-server-pipe.752" 3788 213170e3a58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.4.708587589\1868428251" -childID 3 -isForBrowser -prefsHandle 3596 -prefMapHandle 3600 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caf8c192-5d0c-4f87-89e9-f6721cb47b8c} 752 "\\.\pipe\gecko-crash-server-pipe.752" 3652 213170e2e58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1720,i,13777540849436488451,16945454491079801568,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5364 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4660 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

"C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,16568115301585431629,3794651233285745249,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.7.1472675388\248787145" -childID 6 -isForBrowser -prefsHandle 4808 -prefMapHandle 4812 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59c36d2d-13f9-4f58-9add-9b345b78881c} 752 "\\.\pipe\gecko-crash-server-pipe.752" 4800 213156fc158 tab

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3804 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.8.124520596\1984065461" -childID 7 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051a937e-9a21-491f-ad34-e71cd9a84cde} 752 "\\.\pipe\gecko-crash-server-pipe.752" 5216 21318221e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.linkedin.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.6.1123382329\2119840996" -childID 5 -isForBrowser -prefsHandle 4632 -prefMapHandle 4628 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0665c0c4-85d8-4f7d-9eb2-4c33bacbb45a} 752 "\\.\pipe\gecko-crash-server-pipe.752" 4672 213156a0558 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3922059631128295844,13932581981906779185,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17322483287037601253,3280585114605657513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17322483287037601253,3280585114605657513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15196900222394646857,10940397922874467376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3976 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6628 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6944 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x40c 0x244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\683043812824_Desktop.zip' -CompressionLevel Optimal

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7372 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecc8d9758,0x7ffecc8d9768,0x7ffecc8d9778

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5880 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.10.1251217055\60036214" -childID 9 -isForBrowser -prefsHandle 5772 -prefMapHandle 5756 -prefsLen 21884 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e27b103e-4b1a-47e7-ace8-00428c7b67ee} 752 "\\.\pipe\gecko-crash-server-pipe.752" 5752 21318431a58 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.11.1816934571\816530654" -childID 10 -isForBrowser -prefsHandle 3352 -prefMapHandle 3356 -prefsLen 21884 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9c072d9-80a0-4c92-93b9-e611b014e58f} 752 "\\.\pipe\gecko-crash-server-pipe.752" 5632 213189dce58 tab

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11672 -s 348

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\u9bw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u9bw.0.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\u9bw.1.exe

"C:\Users\Admin\AppData\Local\Temp\u9bw.1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13280 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 13280 -ip 13280

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6700 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6464 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 11672 -ip 11672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14035262426716185800,12994711241123050472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="752.9.1637208589\1047205666" -childID 8 -isForBrowser -prefsHandle 5364 -prefMapHandle 5384 -prefsLen 21884 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c898f52-4efa-49d3-bcee-94f1f9f1774b} 752 "\\.\pipe\gecko-crash-server-pipe.752" 5456 21314f2cc58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5928 --field-trial-handle=1908,i,12640975231134072621,659486174589435740,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecca346f8,0x7ffecca34708,0x7ffecca34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6356 -ip 6356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 1084

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6356 -ip 6356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 12512 -ip 12512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12512 -s 2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\683043812824_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 157.240.221.35:443 tcp
US 13.107.42.14:443 www.linkedin.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
NL 142.250.27.84:443 accounts.google.com udp
GB 142.250.178.14:443 www.youtube.com udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.212.214:443 i.ytimg.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 157.240.221.35:443 tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 214.212.58.216.in-addr.arpa udp
NL 142.250.27.84:443 accounts.google.com udp
GB 142.250.178.14:443 www.youtube.com udp
GB 216.58.212.214:443 i.ytimg.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 157.240.221.35:443 tcp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 216.58.212.214:443 i.ytimg.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 13.107.42.14:443 www.linkedin.com tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 static.licdn.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 172.217.16.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
DE 20.79.30.95:33223 tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 rr1---sn-q4flrnlz.googlevideo.com udp
US 8.8.8.8:53 104.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 74.125.3.134:443 rr1---sn-q4flrnlz.googlevideo.com tcp
US 74.125.3.134:443 rr1---sn-q4flrnlz.googlevideo.com tcp
US 74.125.3.134:443 rr1---sn-q4flrnlz.googlevideo.com tcp
US 8.8.8.8:53 95.30.79.20.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 134.3.125.74.in-addr.arpa udp
US 74.125.3.134:443 rr1---sn-q4flrnlz.googlevideo.com tcp
US 74.125.3.134:443 rr1---sn-q4flrnlz.googlevideo.com tcp
US 8.8.8.8:53 ponf.linkedin.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 144.2.9.1:443 ponf.linkedin.com tcp
US 74.125.3.134:443 rr1---sn-q4flrnlz.googlevideo.com tcp
US 8.8.8.8:53 platform.linkedin.com udp
GB 142.250.144.127:19302 stun.l.google.com udp
GB 142.250.144.127:19302 stun.l.google.com udp
US 8.8.8.8:53 www.linkedin.com udp
GB 88.221.135.104:443 platform.linkedin.com tcp
GB 88.221.135.104:443 platform.linkedin.com tcp
US 8.8.8.8:53 1.9.2.144.in-addr.arpa udp
US 13.107.42.14:443 www.linkedin.com tcp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 13.107.42.14:443 l-0005.l-msedge.net tcp
GB 142.250.179.234:443 content-autofill.googleapis.com udp
GB 157.240.221.35:443 udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 144.2.9.1:443 ponf.linkedin.com tcp
GB 142.250.144.127:19302 stun.l.google.com udp
GB 142.250.144.127:19302 stun.l.google.com udp
GB 88.221.135.104:443 platform.linkedin.com tcp
US 8.8.8.8:53 static.licdn.com udp
GB 88.221.135.104:443 static.licdn.com tcp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 88.221.135.104:443 a1916.dscg2.akamai.net tcp
GB 88.221.135.104:443 a1916.dscg2.akamai.net tcp
GB 88.221.135.104:443 a1916.dscg2.akamai.net tcp
GB 88.221.135.104:443 a1916.dscg2.akamai.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 ponf.linkedin.com udp
US 8.8.8.8:53 ponf.linkedin.com udp
GB 163.70.147.23:443 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
US 144.2.9.1:443 ponf.linkedin.com tcp
GB 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 platform.linkedin.com udp
DE 144.76.1.85:18574 tcp
NL 142.250.27.84:443 accounts.google.com tcp
GB 88.221.135.104:443 platform.linkedin.com tcp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
NL 142.250.27.84:443 accounts.google.com tcp
GB 142.250.144.127:19302 stun.l.google.com udp
GB 142.250.144.127:19302 stun.l.google.com udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.204.74:443 jnn-pa.googleapis.com tcp
GB 163.70.147.35:443 facebook.com tcp
GB 216.58.204.74:443 jnn-pa.googleapis.com tcp
GB 216.58.204.74:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 fbcdn.net udp
GB 163.70.147.35:443 fbcdn.net tcp
GB 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
NL 45.15.156.209:40481 tcp
GB 157.240.221.35:443 udp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 fbsbx.com udp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
US 8.8.8.8:53 209.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
GB 163.70.147.23:443 scontent.xx.fbcdn.net udp
GB 172.217.16.238:443 youtube.com tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
GB 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 play.google.com udp
GB 163.70.147.35:443 facebook.com udp
GB 216.58.201.110:443 play.google.com tcp
GB 216.58.201.110:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 13.107.42.14:443 l-0005.l-msedge.net tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 216.58.201.110:443 play.google.com tcp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 mealroomrallpassiveer.shop udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 104.21.47.178:443 mealroomrallpassiveer.shop tcp
US 8.8.8.8:53 rr1---sn-4g5edndk.googlevideo.com udp
DE 185.172.128.109:80 185.172.128.109 tcp
DE 172.217.133.198:443 rr1---sn-4g5edndk.googlevideo.com tcp
DE 172.217.133.198:443 rr1---sn-4g5edndk.googlevideo.com tcp
GB 142.250.178.4:443 www.google.com tcp
DE 172.217.133.198:443 rr1---sn-4g5edndk.googlevideo.com tcp
DE 172.217.133.198:443 rr1---sn-4g5edndk.googlevideo.com tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 8.8.8.8:53 178.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 109.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 198.133.217.172.in-addr.arpa udp
DE 172.217.133.198:443 rr1---sn-4g5edndk.googlevideo.com tcp
US 8.8.8.8:53 clients2.google.com udp
DE 172.217.133.198:443 rr1---sn-4g5edndk.googlevideo.com tcp
US 104.21.80.171:443 gemcreedarticulateod.shop tcp
GB 216.58.201.110:443 play.google.com tcp
GB 142.250.200.14:443 clients2.google.com tcp
GB 142.250.200.14:443 clients2.google.com tcp
GB 157.240.221.35:443 tcp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 168.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 172.67.182.52:443 tcp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 52.182.67.172.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
DE 45.76.89.70:80 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
DE 185.225.200.120:15666 tcp
US 8.8.8.8:53 modestessayevenmilwek.shop udp
US 172.67.217.59:443 modestessayevenmilwek.shop tcp
US 104.21.80.171:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 59.217.67.172.in-addr.arpa udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
US 172.67.182.52:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:51069 tcp
US 8.8.8.8:53 bfdd57f1-1ee5-46f0-8ba1-1264ebe94aa3.uuid.statstraffic.org udp
US 8.8.8.8:53 udp
N/A 127.0.0.1:53089 tcp
US 8.8.8.8:53 udp
NL 94.156.67.230:13781 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server13.statstraffic.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server13.statstraffic.org tcp
FI 64.233.164.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 172.67.212.188:443 walkinglate.com tcp
US 8.8.8.8:53 127.164.233.64.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 188.212.67.172.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server13.statstraffic.org tcp
US 8.8.8.8:53 udp
RU 193.233.132.167:80 193.233.132.167 tcp
NL 94.156.67.230:13781 tcp
BG 185.82.216.104:443 server13.statstraffic.org tcp

Files

memory/4084-1-0x000000007ECD0000-0x000000007F0A1000-memory.dmp

memory/4084-0-0x0000000000570000-0x0000000000F96000-memory.dmp

memory/4084-2-0x0000000077CD2000-0x0000000077CD3000-memory.dmp

memory/4084-7-0x0000000000570000-0x0000000000F96000-memory.dmp

memory/4084-8-0x000000007ECD0000-0x000000007F0A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 2cacce0bad26aa9301f32a1a7e2dda39
SHA1 fc2bd435311933fcf7f8bf4227c8a65a42073db9
SHA256 8111d1cf423d5496e7c48e6177cae3ed3d83aae6097ef206f55b870de951933a
SHA512 3362274a6e20f1e3c084ce043a597f23e39f0e7baf69be63fb7f8e03bc2b653a4ba9c3ce5e6c207f28ca8955ab47357ca6ef80b3ed032d561cae646b01b565cb

memory/4848-11-0x0000000000F40000-0x0000000001966000-memory.dmp

memory/4848-12-0x000000007F1A0000-0x000000007F571000-memory.dmp

memory/4848-13-0x0000000077CD2000-0x0000000077CD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/5080-33-0x0000000004A20000-0x0000000004A62000-memory.dmp

memory/5080-34-0x0000000073870000-0x0000000074020000-memory.dmp

memory/5080-35-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/5080-36-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/5080-37-0x0000000004C00000-0x00000000051A4000-memory.dmp

memory/5080-38-0x0000000004B00000-0x0000000004B3E000-memory.dmp

memory/5080-39-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/5080-40-0x00000000051B0000-0x00000000057C8000-memory.dmp

memory/5080-41-0x00000000057D0000-0x00000000057E2000-memory.dmp

memory/5080-42-0x00000000057F0000-0x00000000058FA000-memory.dmp

memory/5080-43-0x0000000005900000-0x000000000593C000-memory.dmp

memory/5080-44-0x0000000005A80000-0x0000000005ACC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1

MD5 d769ca0816a72bacb8b3205b4c652b4b
SHA1 4072df351635eb621feb19cc0f47f2953d761c59
SHA256 f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2
SHA512 cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

memory/4392-54-0x0000000073870000-0x0000000074020000-memory.dmp

memory/4392-55-0x0000000002450000-0x0000000002460000-memory.dmp

memory/4392-56-0x0000000002450000-0x0000000002460000-memory.dmp

memory/4392-53-0x0000000002460000-0x0000000002496000-memory.dmp

memory/4392-57-0x0000000004F40000-0x0000000005568000-memory.dmp

memory/4392-58-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/4392-59-0x0000000005670000-0x00000000056D6000-memory.dmp

memory/4392-60-0x00000000056E0000-0x0000000005746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvxglut3.hir.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4392-70-0x0000000005920000-0x0000000005C74000-memory.dmp

memory/4392-71-0x0000000005D40000-0x0000000005D5E000-memory.dmp

memory/5080-72-0x00000000064F0000-0x0000000006566000-memory.dmp

memory/5080-74-0x00000000065B0000-0x0000000006642000-memory.dmp

memory/5080-75-0x00000000066E0000-0x00000000066FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 37cdd1fcbf20a8206407e6580bc92d5b
SHA1 29e9dd27a8fee610d43eb77451a735693922103b
SHA256 6ef82daf44dcb04a074ce4ca980a9a583fdcbb8fc46d8837012116054fb5d918
SHA512 4807bc0aa9a6836e810f735d263f7e01144dca2dd1f8d18c8bc24ece5f4bcf4c1661653b8db03b0c592fe68ca87448fa41dc312f789d14a82c4584d96f3edfef

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 6e04bea7323caf18cc3a059d2a8b0e5d
SHA1 72f11b1bdc6969f38a63034a3bc5c41bee6265fb
SHA256 dee136098078f2769f5490606ff6dcc90f052b7e894cfbc9c2b0e2a4ae9aad35
SHA512 3e5fab1c8402f521e7aba7530637a4f5049de11e204efba6e5b96c9d7aff2664ef9edd6675c155ac9dc5d2be1f53ef8b4c7491a44203ab38d6a13adc28661ac8

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 810700adb2e64d331f949ea87e5691d9
SHA1 c3e41bf9923450fa693af1327e1f811f2b6cc96d
SHA256 98f2d74cb26f756e89b70c31a8e3a231ad68e9c422ee881c7a0f50d848ab4342
SHA512 390d88fd90e71c835666bacd06f8a7cd94913b4ee0d2ca815d72100b89b4e374222c1897891afeb5219956aa83f859db125efb7badfe16fb9bad16d3502bb61d

memory/5080-95-0x0000000006A60000-0x0000000006AB0000-memory.dmp

memory/5080-96-0x0000000006F60000-0x0000000007122000-memory.dmp

memory/4392-97-0x0000000006D20000-0x0000000006DB6000-memory.dmp

memory/4392-99-0x00000000062B0000-0x00000000062D2000-memory.dmp

memory/5080-100-0x00000000081D0000-0x00000000086FC000-memory.dmp

memory/4392-98-0x0000000006260000-0x000000000627A000-memory.dmp

memory/4392-103-0x0000000070440000-0x000000007048C000-memory.dmp

memory/4392-113-0x00000000070C0000-0x00000000070DE000-memory.dmp

memory/4392-117-0x0000000002450000-0x0000000002460000-memory.dmp

memory/4848-115-0x0000000000F40000-0x0000000001966000-memory.dmp

memory/4392-116-0x0000000002450000-0x0000000002460000-memory.dmp

memory/4392-114-0x00000000070E0000-0x0000000007183000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a57cb6ac4537c6701c0a83e024364f8a
SHA1 97346a9182b087f8189e79f50756d41cd615aa08
SHA256 fe6ad41335afdcf3f5ff3e94830818f70796174b5201c9ee94f236335098eff8
SHA512 8d59de8b0378f4d0619c4a267585d6bfd8c9276919d98c444f1dbb8dec0fab09b767e87db972244726af904df3e9decbff5f3bb5c4c06a9e2536f4c1874cd2f2

memory/4392-119-0x0000000007FA0000-0x000000000861A000-memory.dmp

memory/4392-131-0x0000000007280000-0x000000000728A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1 d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256 cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512 cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 da720017583df8212fd69f8fcd7b6b6e
SHA1 0ea9e35cd6c6dd27a9601b0ec3a30cc8283dd738
SHA256 7ae143ff4808674a468026efd4944dc2007b3f6424ad789d88c0a3d31a625e1a
SHA512 4f526d979a5e772bc7cc8692fec922332ab8aa932573f93225dcb7908b55f42daeddf3f9d4b54ee47b042843d82483caee91a0273bdded58dc2a41b60b4ce0d4

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 f4586dd998ceb6a8e19f9737e8facdec
SHA1 2d0d57a47184d7bbe2fedd74b9af902e8db00a71
SHA256 e4c5601afb85f07412cad47d894af765c1674890eb66a10fc991a33c1ebcb68e
SHA512 74fc8b9691e2b2cefd68bbf686f2c5f0ed1266fef662737d445ce3c824198143ae69245da6d868419d6f720a7d10ac60af53a78f495ca36ff1343b1309b32d65

memory/4392-183-0x00000000072A0000-0x00000000072B1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 16b7586b9eba5296ea04b791fc3d675e
SHA1 8890767dd7eb4d1beab829324ba8b9599051f0b0
SHA256 474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680
SHA512 58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 f732dbed9289177d15e236d0f8f2ddd3
SHA1 53f822af51b014bc3d4b575865d9c3ef0e4debde
SHA256 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512 b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

memory/5388-205-0x0000000000EB0000-0x000000000143E000-memory.dmp

memory/4848-204-0x000000007F1A0000-0x000000007F571000-memory.dmp

\??\pipe\LOCAL\crashpad_2544_GFRLLXUDAIOXCLPP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5388-277-0x0000000077CD4000-0x0000000077CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2b21df54370339961a93e4d94d4aad42
SHA1 b95183a34723a056a6c2edafcb396d8f565e3c43
SHA256 01a42333e368a5973a42571b5eef7aee4f66ba18d836e4c0539a2d334aa48952
SHA512 16c0b277c4d620f69d2ccc0f2c90853fb224939802ce889801560dd6585b76cd62325458983a1886ef0cd0ed7f75e1e9bd8d0df4ed6a8dd418ff0bbdf756e3c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7444a2cfbd5b26b6ad4e4c11c271802a
SHA1 509a6df770c9665d5a441884d5cb928f534e5455
SHA256 3688b093f47783073e442717df0f50d47d482848d4cb012e8d94a545e2e3ef14
SHA512 f80c6b5ad0c3798858e432f800eac42c48770f346b4a2a95238e6252cd1cb099c81ff77c736a1317e656a9ae10851c90f9de30624a724d1f6d24254bb4e38734

memory/5080-269-0x0000000073870000-0x0000000074020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3f86bbf2b63651f6781ecf129e6dbfb5
SHA1 be2f22b27eee03206704abb2ce346724c11b580c
SHA256 bc7734e9aa35c3d67c1f0355312934890b44937b958d5d88956af0f638134970
SHA512 4ff9e36b80b5123b648053ea0dcd688af789b5ca57d38cc64f6764fc054d53676fc89610760c2b3e0553f946b59e6052e30fe395d1051c75364a89b842c800eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6a5767049748ef2be941323adc6a3ef7
SHA1 d1537d117d0331de88a38187c438f3ad973e4db8
SHA256 39a7e7eca16257b64b92ad32b03dc89d15a0ee095c2798895967d9562ca33a44
SHA512 19efd2f5fcfd539d695cd78b85ad34f3ef9553d52e1f94214250871bd2579511287d61b5b089fde298f6d1a3ecc90adb0bcdce7dbdd258cf691c09a99e2a029a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\630be422-a122-4e13-9134-9dfeb2449cdb.tmp

MD5 c230756f35daa607cac456f8d98dd694
SHA1 8a910d8652729daa647a8435bc95a40406c0cfde
SHA256 5bbb70d8ce9262902fdcaec332ea57ce523717d7d2a54a452d5878d14704f71f
SHA512 a964fe2599ef875c3109aa098ca7c8707406028534d10d4a83e01e31498b3ce8aa7d5273a9e31285ce75af71b79c8b6417fe757715865530faa5f9e01d19bd91

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

memory/5388-280-0x0000000005920000-0x0000000005921000-memory.dmp

memory/5388-294-0x0000000005910000-0x0000000005911000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/5388-307-0x0000000005980000-0x0000000005981000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 385b15ba95d9158fcf62cc2606e8aa51
SHA1 d1a71686336299a73e230c920cfa1c87e0d96ecd
SHA256 bdc7d21a9cfbe9a45d058baa29eeb43b103e2a5fd0bd0be854b226e3a4d905ad
SHA512 9b5b57188cea65a2c4eefe58216702ca7b3b67c4e10de346a97f92a30f047fbcbf5a4d7aeff47aadd6557152fb7771ac8bb126b72531cdb6da3d19403c0e2345

memory/5388-320-0x0000000005900000-0x0000000005901000-memory.dmp

memory/5388-322-0x00000000059A0000-0x00000000059A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 a0ddc86e2eb6741e7910d66fc723b448
SHA1 81db0cecb370033cac162fcaaae2e1ae8c98776f
SHA256 b98de73c7fbcd19f33d626f7e66da7e846329a75026feafbba097a277c847dad
SHA512 f7783c490f3da0bf0dd5f792ee3529623f053390bdfdbe46a2bd741b6d067db427ee0fb46e5af74167fab20283d99840f56dfb4f041ea6f8f8edbbbbc825582d

memory/8088-333-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

memory/5388-332-0x0000000005990000-0x0000000005991000-memory.dmp

memory/5388-325-0x0000000005960000-0x0000000005961000-memory.dmp

memory/5388-323-0x0000000005930000-0x0000000005931000-memory.dmp

memory/5388-321-0x0000000005950000-0x0000000005951000-memory.dmp

memory/5388-312-0x0000000000EB0000-0x000000000143E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f1b906f7e22cf2aa4ddeb6c17fee2620
SHA1 face5895e39034f333a8a3a996db6addf411ba95
SHA256 e9a137859dc45b98c5541d399aa85ca72812c8e981b75156aa180eabae2ed1e3
SHA512 c4ab6627a63b6c9745f2b4b2866dd0120bbbdacb6e3ddfadf19bb32d00d2f145d8ba362684d8c5f6e70107f8e72037ca051290cbac64af22f3d26bdfa8490d89

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a12c10add60624b045aac23cc9cf0bb2
SHA1 00d664b9161c5c119adbcc77e696d994b32c4bf2
SHA256 f661606b6bcc04a0befc2e9ca49768e8e5a655bd76016ae57d8b3e2e848ed072
SHA512 f6522cdd3359339fa2ba976e45539afead887a8c70c967bf841285a2fafbf335a578188fe5ebd04d221990823d2cfca01cd70c88e76359db380179032e42c849

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e470772f01c5641b7bd06fd2a8ac5fc1
SHA1 991f66fddd76473b61e2ce2bf4fd8edfca3b53e7
SHA256 53f1d80618d153127915ca8eab4de9a5a4b54ef713d457f0c14f493202731b35
SHA512 c2e0094f5c256f6309a2c9b3555ae454ceec6ba8ed7480945b7f9d99536949e4b5742e784bb78f33caf9501b89667c341c4c4b01d5fe58eca634a85a11a7fbff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 79545507122b225c88acfe6e3bc0d4c3
SHA1 71f4fad9d58b685a6cc8e13745c624506c0f507b
SHA256 b1981e1713e46762fe1f76c9a589d41d58ba1657b926a2ccaeb091591e28b59e
SHA512 8babe3bb8b28384196e481b76ab101d67c3b2dbe5b9091481ab1d4e857e162ca4f8d9bdf0f0ebac45a600bcaf5f19208c11271790c64df0dd1676a0816caa47c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 11de180e892a5cb38f92dc13cfcb0381
SHA1 6ae2a18662f9c8723c7e098667d2dccb274e41e6
SHA256 8c99218c72de78048b96cb28aa64896490077c2ce7b2386112bd8b0c8e4258f9
SHA512 322cfdfe56a55a0192856a8300e3659b792668f549022705a7b24f8e2db11cab70679142725920f9d993eea429dc647789d1fc51b10bdd9e290c8f193e23ab86

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 a63c4c8f99d5688805b6dc311620b91f
SHA1 2daa6365f0df5e90bbc523cbbd86837a6ba8d31b
SHA256 26ec330e897e6a30cc82b399e86d0ad51c791764687fcde42ae062c6916919d2
SHA512 28f31ecb615a8867dac1e560c8c52add0cdabc124ed21c33fd52489fa56ed218416ac8269c2c29516f2cda5ee8add33b83bcee10effc4c80b529ea008f574dda

memory/4848-481-0x0000000000F40000-0x0000000001966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

MD5 6e401ff8d2152ee1f93cdf7a48072207
SHA1 5b6945cde50036da4f96c3ad4d8151e4edfa0eb7
SHA256 f7c9102387ff2be3466578767db90e8208f9edbfbeb048d08b3aa47b042a05a8
SHA512 66ae5caabd19090229449dede7840770c6b3bf8a5d875fa75df3621119b3798a0a5b60e19c4bba9cfb8a39172bde6b5a45ec1d8cff865ca8a8f152f335c68b96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 7a204d478c8dfe822bf86f9103bbd9b3
SHA1 7114b36ea1588d9372d730b2ee5dec7a3aee36d1
SHA256 d9134e3cf60db564c49cc181251c7308bc568acf060444c443a90c0f464ebfeb
SHA512 f5fb06a9808e9370a5fb3b926ffa27746ca7942eba36a2f63135168218e326abc74195453b9bcd8a045d5870a71b7f250dfc281515c7fa51857410acb316763e

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 10a331a12ca40f3293dfadfcecb8d071
SHA1 ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256 b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6a6421c8bdff0078d1e9db4d773c4fcf
SHA1 4f7be9990c37d08b3bed93040cf477030a836420
SHA256 dc8cc59d28c1361137b27d3c8f704818382b752ce9ae752fbbbeb5350f9c16c2
SHA512 540c42c281d6dae35e85c3c27678d79205a2c9f58fc73cf37c33400f47d51487b5eec140a344d77f04be42811eea8397c4c07fc87e43cea029841c2f0598b0bb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\007E769A3DD5DA78A4096C894CDE895E093E7A64

MD5 e5ae4f8ba039e1100dc5ebe67499e939
SHA1 b2858249462fd60af7810ffd3347955157133484
SHA256 72f0019b6bac570170276bebccce94ce5adeb90cee518b5750f93fa16d34aa0f
SHA512 0085e5ef088c26e9084e099155fcf22bffd963a2ff1bd5a6c2e130ddc575a0a39b184a743e49f308307a3f2570e95ffd7d625d8f686a1c8cd3d1ee2fadf14f3e

memory/10928-593-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0d2b61900e657cc9a4bf45c75a5f09f6
SHA1 5b2add620f2bee7fcf8f126137dc11dc59709aa0
SHA256 bba91df448e37bf0d79744d53597cb9e8faf95ef0c2386e8bf45985d8ec0ee05
SHA512 27c81c8b9d24fbc0e6b80553b7847aad13fca65cd9ba0bcba421aba84e32bf0d790ae5852479056935ceb8288418e7a84dc9e8f902231045ad8b39ad89cc4a01

memory/5388-653-0x0000000000EB0000-0x000000000143E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 425927f0c2d2688e8cd1200e835dd484
SHA1 3778e0a65bce07c81c21c20812ad5dd2c999e303
SHA256 d90c9da6d7a454b7abced51ed3c3457598db732093dda12fb5c9dcff9df5ef1a
SHA512 f7077cf211f732d6e457512d192a7769b8750ae8e74bb315d65dbb468474c18f9e75341d92ca205431cf9091dfcfef668749515262cba91bb7bd482c59d77c2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 884328afbe70f4fe0af70ae739b789c5
SHA1 1daf8bc2737b46acfc4ece1a086da484fef4e752
SHA256 971a84f14dac4355c3ba2ca31371844c6b104f82a421203c90f6e0ef5f542eb6
SHA512 831ab6d7067c3c3b98665068f4f9cff35bbbc29aafd77792bc8e840f442317e226b7ea13f305a4831520e57ddf4cf78f64ed5c19f576c2ce6700587074763946

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c3477c8680b06f10f1fb913ac8d50cda
SHA1 27f74c5aab5b54fbed3011e2442c25fda1475151
SHA256 d0032a174384acc3bf09e046c44221aabdf22ba7261197bc6229a0a4d0cb9c64
SHA512 aa987c600d8761e71f24933338180f941f7fb42cd09ffb09381b2d7c5c5867afa60910e223567984b6cab0ca07e675f2aae02d0601d524bcef9206101a922bda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js

MD5 b75eec6a47a82b79f362a2da089fa537
SHA1 7d9f32f3a1ef1ae6abe0867c06880f3e9cd2a689
SHA256 ce5317771a6680e1963532c204eee6c3c5dfcbf35042cdeb4247214623afd922
SHA512 3b02a9a7e88f230238aa26cf9d5d189db5a42c48b70a6e52b4ad5c0b983813fe46fd8319ebf7942862a34d4d0e2926bbe9ff157bba7d0db99cfea470b41e2b8a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 1f7dd23e0c29b69f71da685ef1392436
SHA1 25ef2a037fc2a167a9d8258310a5186fff302af7
SHA256 5158c6793156a01ba9f9da6dcfe350e5a60475f3134c038f3c06322227373b75
SHA512 07aa1b5f6f20f5b3c12127d9b477a85be014320f7cd9ff454956ac056ac97484664983b18120f01fe8cef3b4637134017001c99fc04e854732e10935c19e9e8e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\MANIFEST-000001

MD5 3fd11ff447c1ee23538dc4d9724427a3
SHA1 1335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA512 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4ffea207ab60e2260d00b29db4387d35
SHA1 bdb07b971b5e8d5426b1d8ab99d2ea1b9cf6ab60
SHA256 a3170e71c263a7c0d43a52b94bce38114d3b80ace98156df9fed48e1f2772436
SHA512 c9b162b6ba362b21219e99aac20b0742ce12824fcdd773257c0b816a2303c03849473651c534da5b3ac30d9a41eeed460903f13259821c4ed8c4f9853f13f3ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6db2d2ceb22a030bd1caa72b32cfbf98
SHA1 fe50f35e60f88624a28b93b8a76be1377957618b
SHA256 7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512 d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 011c6acc79a70884a91827ea5be2f593
SHA1 322bef2485baf4063309de3d0d34d8b23883efde
SHA256 ef6696761bb25419b9107a87600926894c96834d42dd8e5df765ed59990dc2e4
SHA512 1687388557e6dc3e5a1c0931f3017eda4fa43a83ec3126c799464d6ff3a94a171099afac376b263e9dd23b09b142635b591d36555e21d8588eb6118dde1879fc

memory/12104-857-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 87e189868133554615c81675831c5deb
SHA1 bedfe687827fd7cfbf8f78dfcb3bd219927f7490
SHA256 26a53a24a94bf4722e8c173a9ce64d5893a6aa88d45dee040aa7d8cd4c29ac5c
SHA512 76514c7b04385901997244f8b69e0a716aa348e632e543f6a410a0220ee29d1f193c258dceadde1e5fe953542a4bc4b74230a786a1b82f041bd2f786aae39c20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

MD5 bf5797b6322d51469f7d4ec29d2985bc
SHA1 6d391e3b76e526c4cad6f98dc84e42e8d10b5de6
SHA256 dff6b5a5bd482fda7b9fcaa423922e8ed08d5c71d0182fddc29157aa2f110fe5
SHA512 dbde5a0b15072d0e664b41727201f8cdb40000487d7fe17ddf1f3016649146cb33e8cdff7c6ee33b7419c7035289f8cb4e78223d3a2bd3c2098f11fee1b37a97

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 654abe1db0f972272b5b012914d9e5d6
SHA1 1ac7b42167369dcfa528837f13a2c80de7bcc161
SHA256 5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094
SHA512 18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 4a55e73fdc90ba552d1ce23cd9371ccb
SHA1 bdfc116cc0a3e34b358e2c29ba7905e31b0e1dc0
SHA256 86bb8be29e78f1dc0a910feffd3cf93278f7701cb3dc21b491f5a2a04384206b
SHA512 6c37addc21592c5136daf65c825606dd9798aa8502428847ee90ef294da91f255cd5ae3cd56d0186ed13e43027eb9cc16c7186902190800178c38d396a59535b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\24F1CE33C39E98D6DF0A88247DA8D4896907B46E

MD5 bb72fd832e69c32bad975ce1b0eaa461
SHA1 d8a8e66f22ced3b6ec23adf2ee74368d0f678ada
SHA256 e2e3f3ab2154b87ff895cf5710718d8d923033ffb158eacd2689364e32623203
SHA512 ee96ea7f5630e663e664b2dd60188ffab236a725d92fe8a5deaf382b9cbc3dcd81834728fd089ceb5f749149e1f896098e5f4632d60490af0e3f6ac46dca5c92

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8dc1f88ae1fcedeb3983c5f5c3d486b0
SHA1 d40e67ba5558d90cb11eeca04d213322159336fc
SHA256 4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca
SHA512 0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8c20d9745afb54a1b59131314c15d61c
SHA1 1975f997e2db1e487c1caf570263a6a3ba135958
SHA256 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 b5c71e949a63ca8386a33c851002d51f
SHA1 7b5b97c75aceb0eb7f8d137ee449fec23e06404d
SHA256 23d9cdbf7e44149a1cb1aaf4aa096b293c5cc5045a805f4fbfadb7cfc9637259
SHA512 b9132a7b51b223d684fafc0c135d91f378e220d75a6da7a8169f4f1d5faf3570a44d662497b66d1e2571eb63546ad0fcbede74c0d355dd1cfb688f12382499c6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\27130428AA9673FE224F99BCAF97A6009AE4D837

MD5 b6c3d84ee9559ea60e2511fdabf96c8a
SHA1 05e06d32d05fcb7eb06cbb264bb757e46c25cde6
SHA256 97de32e82e9cc6c6dba873115b564f1587f0343874a9cb0f46e070c59cc087f3
SHA512 0690c775b9b4f3521d02464a096c818b4e2827b428cf67f2dc9dceaf57130fe68fd0b2769ac12fa2873e5a231eb07ac7a6125f0961bb066da44ef54364f18759

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\B244729BC80B4AC34542A2CF7ABB28C54E8B5AC9

MD5 e2b821fa42898ace1044aff7dace68c3
SHA1 ee17d18aa1cc9ca7f9dbcf64f131e4bf1f2f3271
SHA256 5d0d995bae82ed152498ffdf7a2989086c61c47a60ec40136aec739c36a5cedf
SHA512 dd1a5a575064bb3544a141e2835a08d43e8c3f2199489c71c7e010ddae5e1ef7506a548996a389295f6a13f5e1d355b341e4bac1bfe04810b4811b90f338ba98

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\24FCC1FE10B5907E89DD2B7D6CE6B2D40A935AAF

MD5 6dbf8bf6e155247c9990600dd0d60bbd
SHA1 8ee66a3aa054d498614417398fd3664b4ac43836
SHA256 aa779f77c60f3b076534888b2ddd40fb7afc52dd4e9a20e93f3f0e290e7df0a0
SHA512 57d11beab9fdd97ffc94ab97ad53847739e15f702a7bd996cf1fb2d3f91765d9d8e53c93f911e93e7477cd59e1561f09955be0c716445eff25847ca699ac7632

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\169D382E6ECEFB0B4DC415049A9EE59A0E33C50C

MD5 3847d70a2e126ad7efc3aae9d4e370d8
SHA1 72ec1120b621160f0900dcefe1d515df6a3326e3
SHA256 61704495b0c0c79d9defe818819d8037ae11744a0ac50b369d82a03969eddcfa
SHA512 e7f3d8ca6708ceaf28f618d25f62b8242efc686c98a30cb8ee0cbd1fbce766d29cd3cf667d03a370de2f2b7a1ed33ed99e97744d4ba8e1ef9fe7ef8deb76ab70

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\A4EAA756C522664D9CEE8A7AEF94BA0D5D323F4A

MD5 1d05d9c617f602174ee0e147a65f9326
SHA1 d900a4cf6f4d2219b23f8716539aff235984f758
SHA256 979f8ff39f5e296dcd46f6c45efe88d1819c604ae31c929f32ccd11c72affd1b
SHA512 2574b82a0001dc53b424720d044ddffa6a0adeaa3131a2d1798a490c9fd9a5961412ccece1331ede2c41ff1292f8da4b9ac5e341074bf2dfc26f9c015d503327

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\storage\default\https+++www.linkedin.com\idb\1803601664sreeqbumeunNce.sqlite

MD5 22f72deb5198e4e43d708e482aac2857
SHA1 18a9f2ca246740f0095cbc3cd1288fa0e6567a97
SHA256 5483d34acf6172ba7564845fc3534b320fc348844030d859dbbe70b1452be169
SHA512 44bb50220f801997855a2e46dff45963e5ddbbf3e2819b7c1fdd0ccad72389b12b34b3b91fd625c4b787673649b3d9fe63e32e4a4c83bca2e7dee523c69056da

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\4FBF04A3C9F4324AFD2987052CBF8504453061F7

MD5 25dd9553867d5d23f910c1ab6eaf841e
SHA1 34c850abeb42065ae44d96f5fed91150258cc5d9
SHA256 84d904a2f5922cc291d03cd65edcc046efc6557465e4b615c42baed0d2bafba1
SHA512 418ab16f3847f6007d04be4d7eb0c9b7f9ba3c57c3dd0f6ec08dc93e25ebb3aa45937042e23dc15f51f4b418a72cdb6ee165e21a3d834bf95e92f5bfdd9c2c81

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\D3886D483BFF9B004AA331EF257C3770172BC48A

MD5 23e5780302212ed6f90a4dd91f5b7bc2
SHA1 27c04d029257af2b7e329a0689eda798743cbf5c
SHA256 faf6f1fafb673b81e8d74d78f3e625fbb1c226c527db51d7137815ca31a17d5b
SHA512 8a3e29ea7a754af2a62eaf8f4f0ef86bc10f08f4101c40e685b18a13025cfc4ef15e112e124026575e955129cfe9ef2988393759a4bf07423913ebc787d33d64

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\0206971B56AA72A685F9515133D05C879FC04909

MD5 721355bf88cbf3838eec4bf94f89d2ff
SHA1 920991e9318e0cc4ee33808eadd085a1b56ca428
SHA256 9cda7131674620bf8f0bd5bdde4d1dfeb0e6b4e250bee36ddc296ab9a83ebcfd
SHA512 50f6a8263c353ffe518d96f5610ff576ea3d6b64e3813d81a8c0cd9bcf7081a9a155cf1a654a80e7aa48cc3f3921167457a3ed2c3b74b2611cdce33cd91bdb9e

memory/5388-1221-0x0000000000EB0000-0x000000000143E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

memory/13280-1386-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

MD5 d1a0d8504b6a46215e2a4cf521ddb7b5
SHA1 3d6e16808a1e17ccdaca99f37ed30468391c62e0
SHA256 cb357178d5e09917800b0669d958b5517c4f8b322c01f2adeca3ea7fa4e707c1
SHA512 2ee68d71b04a78e1bc353f66daaeac1ab9f2e1119d7b6974571f8ef1a7a20fc1ea3903f3d90f3feffe7d820339abed4a26cabb230ddba3baa415309daad2d570

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\doomed\29038

MD5 24b4314a35195ec46f289fc01642406c
SHA1 69751666932cc4865c18b2f20be3a65b1bdabd6e
SHA256 5429bf83821bee58611611f31cdad7501d78386537d935433288c25a9d242b45
SHA512 85822f66abfae40ec40c88fffdb5c94d2d2d9a4242156054505779a258d3d54affacbacbb1052eebc114b7c1d4083caa8ea2199a6e40183afaf81fd0c1036f0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e9e30c7edef40ac2d85f1877e38c0479
SHA1 79d629e3eeffb169cc8cb3cb0d9a94b41e84a191
SHA256 1f74d62f3229c7e8f6f38051fdf52cb909183fc3c0a9dd4a7341b1f2c5047d54
SHA512 ab23ca2e9751c90da9c34571c54ce424b846df36dcd0092058d66bf9070b1dbc11c01d9edf8d3306b448fa80fd0f4d7ff26e5cfcd509ae3adc09016926f9d914

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

MD5 cd6dbd5ae8209f703e4a8e602528e043
SHA1 6685d16a1f09f47580aeb01693646cec9d1fddd7
SHA256 3fd132fab953ccd1c55063a971b57b7885a71c57646530c096acce2eaa31a255
SHA512 d9372b3340a9700bb7c140b4d026c1a28b03dc683e08176c572127a17043f7a83ff30bd7945dccc7716d0b6ab66c9e02e5948627d3f7dc76a8f99c6e30a23b72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old~RFe58530d.TMP

MD5 40032dcdbd1c4d2ae281c2cf8a035ca9
SHA1 93ad51e47e4aacdaeee7abb76dda7ab7004c642b
SHA256 c1a70f7a8744af5991ddd6db08f9f7a355b962411237177d1c3f45d877cee8a3
SHA512 d603107e478968f9cb5fd9b6ab92e38f1d037a8e71e1158335ddbd0d124d47fde53d40b7cc8acbf3734fc3ec895fbe63f045c386047be52012a59b0f956ffee6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3da62dcac54191448aacc7a681598305
SHA1 3c067644d752a16cb00d92efa09ae2883b590b0b
SHA256 cc1c9721da1ba54fbf75955ddb24596bda2575fd0203ff0fd2de272b845158ec
SHA512 de07f29807215b0970c73e0c59c13da0be36a06f4b9d64b7e3649203e11c1ca98881e08279a5ea49104087723d34cbc0190f8095582de9b8915b9cbcb509e38c

memory/13280-1409-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 48d83c8e55d0ecfce04d79b76741d353
SHA1 271c5ac96ab511a2c83702d54c7e7b9477e3b1fd
SHA256 bc2be8dfb023a9b41c22d65e30c0cf6d0e02a5d799cb295d86e6ce65c299bccf
SHA512 1757fbc89a8294d833554d533712705d928a1fb23471855ca61b4357dc1c0f18c9e81c87058a71bfb5e9c8c196cbdb841d2a8e5c48cf56bfe2822f9b27373042

memory/12832-1519-0x0000000004E60000-0x0000000005005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

C:\Users\Admin\AppData\Local\Temp\u9bw.0.exe

MD5 689278a1d1243ac5aa47715ad2e89c8f
SHA1 d3552fbf0cd683135d7b6405c9e62af3c14b06c7
SHA256 90b8b9f8527548c095fe5a40df3ace331b7a26540d2d80ea19688626f0420cf2
SHA512 60021f67ead3f02bf01d643a9ed1f926ed564de8b5dd749dce5bc93699b07414e800e36911fbda3e0bcc83ae068543981f61ea3a3f598fbf6e21185f5c4fe576

memory/12832-1534-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1560-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1569-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/4848-1494-0x0000000000F40000-0x0000000001966000-memory.dmp

memory/12832-1578-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1588-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1613-0x0000000004E60000-0x0000000005005000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ca0c1ea528e16ef494ee2fd1f7c55389
SHA1 aa53f6df9ea8f329b6389125f5103a6230499ce2
SHA256 5c5057542bd05eeb094a55f67cd904f698511b7b212d19420ecd671d19a039e3
SHA512 32e5a5f56f71bb0e23bb0f165f6ae2f106bbf35c30e47baa9c59529270365d4c7126b95cbfa9994e1dafbc99307c3198f85c5c83bb7f4c90c7f0ae0138dd3d6f

memory/12832-1616-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1638-0x0000000004E60000-0x0000000005005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 4c2cc94d53aa98fbb04e1781e34c09a7
SHA1 9ee9cdab9f460b524b3ae90f85e7e652fa12c5a4
SHA256 7e0a088d141208086662b5a193d19d107194da12fdd8f51af19578ddd021a368
SHA512 4e27ecd790572aec643f46ef6bf766a8c00aa2f7473d4c3aa0a924a5234842eefa37b66df15353001e147bdcd7e81fa1019da54e85084a3da6b83d496887ee75

memory/12832-1650-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1652-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1662-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/3412-1663-0x0000000007690000-0x00000000076EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u9bw.1.exe

MD5 49984bd9b81450769cee966a5acc59cd
SHA1 b4d4c3d3c2b7eb4bda2bf7bc9e39dfb5c1eae4f8
SHA256 fc6f1d855a81ead7f693c3d724bfa09c86b2bdd61c451df1e7ef5241cf046202
SHA512 aef1e956d0aa6cb913661750c7e24f4f65a11570d1c6911f2bfb35896e9f725cc93815c97c80e473a87bfb61d7568fe6fce3262d0eb227f6c6e7bb50a1079cfc

memory/12832-1679-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12092-1682-0x0000000000400000-0x0000000000478000-memory.dmp

memory/12832-1690-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1707-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1687-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1684-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/12832-1665-0x0000000004E60000-0x0000000005005000-memory.dmp

memory/1740-1711-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 3e207c81f8f7901200a7455178c24e76
SHA1 aa4b96725959d173a2e9861babe30d37ad8a1bec
SHA256 0593fc0b8ec8778edf17a415fdc7600396e9443ea5ea8a4923d378d8c0aaaa0a
SHA512 ebc5cd5d276565c2b0abca368348f22de608293f634e20dbd4499b11513e6bbe6046c1e500db3a2d8bd829e9cc3452b350a04c52234fc8f728e23e54f44f51a6

memory/6344-1736-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1740-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1760-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1768-0x0000000001260000-0x0000000001280000-memory.dmp

memory/6344-1774-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1776-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1778-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1772-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1764-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1763-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 5ea776e43112b097b024104d6319b6dc
SHA1 abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256 cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA512 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 3058f10b2fe431d9f8a487a35cd89ba3
SHA1 adf31cfada940e96a02305177bea754d4ee41861
SHA256 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30
SHA512 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

memory/6344-1744-0x0000000140000000-0x0000000140848000-memory.dmp

memory/6344-1742-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5388-1730-0x0000000000EB0000-0x000000000143E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

MD5 3f8475829b1de1004365c1dd27a51123
SHA1 e2fac202ac58b9b703652232ad5a656050f84115
SHA256 c445b30a3cb9c8eedb14bb0cf52c4842a604dc5d4bdf3cf8311974d1e6865cfc
SHA512 f932717d76c4dbe3cda5a0b7d2f99a1b8a6e5aee058019bf03af16c58f4d1bd986625b00d69d792c0a8063adf3c8c0c54344ad0e370b40d61355da4c0994a449

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b659a6dc-4797-4d89-9969-f6a278bb033b\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b251e4776fbdc4081a020c42e2d25a90
SHA1 3a77aa6eb715bf8055f8f667dc8b6d88dc3cc4da
SHA256 4d62b2ac237c8a121efdda2c19f53107dec22e5ebd26661631ec3f7d7dd12fee
SHA512 37121b44e378801f5085eb139637b272790a0a0605dffa063ea45bfbf85857213b375b97ba08be00764a9fe5a75b2c1b41020e4a326d06bdfd0c86a9c83dbe02

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5861c2.TMP

MD5 c3e001f189c5f4aa69848e96629d720d
SHA1 3def09b53b41136d70ef11f4632c47006b5325f1
SHA256 5f78436fd9d81e62a9e8f8539da8f37abba744b7ba008674146922164f82e995
SHA512 42bb38aedd2e58cb431e3a4e5ffd9a2d246c21c187c55f4df39296951d06c757dda2d8a10c6fcf5b295f14a1bcb86e1ac461203214254aa747ebe0e69b0a05fe

memory/12832-1498-0x0000000004E60000-0x0000000005005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

MD5 a615f2eee64c5d7449a8792cc782b6d6
SHA1 cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA256 4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA512 9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\B367EE5B548D0683FAB204AE7A360BBB1364F50D

MD5 92f3520a81e5615503f55cf16bf5dac6
SHA1 e02883e2c3667db9564dfb22f9e0cc808ebd0501
SHA256 9b1de51af4ec55db9b002cfdd7d937c1ef822859f84a2bb1c0aa1ffec0162343
SHA512 0a29d6e0cfc648fc774286f028a45fd246058444d08a48068410906b5632146d4a2795a1c5a834681886645787f4dd765ebbf18008e23332f1f4c711ecb07f76

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 bf2a3e48b0ea897e1cb01f8e2d37a995
SHA1 4e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA512 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\5386253589D09F6437E215B7DD9D35AC8A9667C7

MD5 ed10419c2caf31941a0a87657c91e8ae
SHA1 3db357d803a3d6389e136005d5fd27fe36891e7d
SHA256 4d4672ea96238544fbc74948dfe6f2f7d72817449f6dbc70d7c21b5cd55932b2
SHA512 3027cc389ab0a623df05d9c1c6e9abfa55cdfb0d64afc49d9aa3b75e5c83b1caa45039cdb3c028e038297032a1216bbb8c74a85d2a953c2623f2cd9a20418c05

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\70F9110B15BE4CA3789C4E686EFE371A84369C0A

MD5 f8cca64a48fd89d48740b39f3e6bbb6a
SHA1 8078b38b45055d2d14f426cce2b5ccb36ef90b03
SHA256 c8edb544ce1f5efe18cb82e46f5c59cfcc17f5765e5a487b41bcb6290d8210e5
SHA512 7e3c2c8042032f2511cf5fef65dc89c5d14e833d43be5bfa457d3d8077170229868f0c3b7e72416e293da749e11049ec3098384890aacef09cbe301523e2bc54

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\cache2\entries\DFF427F3036CB4FD84301A0F4A7459DEC961B2C3

MD5 718ccbba4020bb4b11e6b84b08cb3f1b
SHA1 3a2d74e21076c2064dca2b4c455f2ae6fa7fb9a2
SHA256 abede0513e0f8e090ea06fc250bcbfe70154deec7d71a9cd5854466f5e04109c
SHA512 a8db7d0a5dd76b29204aaeccf34e56ca967b9abdae40cad665823da7ff776178570c9b24f2f7e77897df927278b0c0f2c93131c0deb181f8d1d08dc28a184044

memory/4848-921-0x0000000000F40000-0x0000000001966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 02515428ef6c93543dcc4cfc528acd37
SHA1 01f102981617fece98a5ada0fed4647f6a12971c
SHA256 45df693db85845b1c76dc4588868c47db54d0637db10d871b1e28efd75616b19
SHA512 dd10c48f4feb16ea9ef4bc61ca7228b516fb6ca09370ac79ed4a4dfd57842997c214dc1fa60f478727fa3f866fd8555476813df9be386f2056b99b675466528f

memory/4392-102-0x0000000007080000-0x00000000070B2000-memory.dmp

memory/4392-101-0x000000007F480000-0x000000007F490000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml

MD5 b97f6e2cc1520a2e8426851cb68f3b0f
SHA1 33a930fe90facb202ec3cd87ca0275af9dd20155
SHA256 a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa
SHA512 9b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841