Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-bywzmaccf3
Target 7ced1bb243ed005bb0abdce463e8ce7b.bin
SHA256 83fccf0f5100107b89f67f9f692972babbda7dbc608f14377cb90122adc71764
Tags
amadey redline risepro smokeloader zgrat livetraffic backdoor evasion infostealer persistence rat spyware stealer trojan xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83fccf0f5100107b89f67f9f692972babbda7dbc608f14377cb90122adc71764

Threat Level: Known bad

The file 7ced1bb243ed005bb0abdce463e8ce7b.bin was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro smokeloader zgrat livetraffic backdoor evasion infostealer persistence rat spyware stealer trojan xmrig miner upx

Amadey

RedLine

RedLine payload

RisePro

SmokeLoader

xmrig

ZGRat

Detect ZGRat V1

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Checks computer location settings

Reads user/profile data of web browsers

.NET Reactor proctector

Checks BIOS information in registry

UPX packed file

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 01:33

Reported

2024-02-06 01:36

Platform

win10v2004-20231215-en

Max time kernel

11s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amert.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000958001\\amert.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000031001\\fu.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1436 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1436 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4172 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4172 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 4172 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 4172 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe
PID 4172 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4092 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4092 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4092 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4092 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4092 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4092 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4848 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 4848 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 4848 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 3996 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 3996 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 3996 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
PID 3000 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3000 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2424 wrote to memory of 5076 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 5076 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2484 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2484 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1436 wrote to memory of 3080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1436 wrote to memory of 3080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3536 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe

"C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "explorhe.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorhe.exe" && timeout 1 && del "explorhe.exe" && ren cbfcbf explorhe.exe && C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe && Exit"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,1038411465482970126,16391825748230195815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.0.522591083\233251307" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ec94acd-1f9a-495e-a0c4-60247c82077b} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1960 1ce44bee758 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

"C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.1.1599017872\354090361" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6902e78-e6fc-4609-9b8d-6dfe44ce0b48} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 2452 1ce44339a58 socket

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1900,i,9885377151648025853,9267339572781606975,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3736 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.3.651737258\1520470896" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3364 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e41267a-6485-460f-a3d7-eaf3d5a9b2e7} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 3504 1ce37e61f58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2720 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2712 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.2.1331204284\644257874" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0127fe64-bb60-492d-9311-58aab30bba5b} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 3144 1ce44b5bc58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,9885377151648025853,9267339572781606975,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3976 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,6523411799529186138,2406776430517157053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4968 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4812 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1684,i,8346985176723789127,676484711623885561,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5228 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1684,i,8346985176723789127,676484711623885561,131072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.4.369049246\1849110370" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4692 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06b9a7e-48d9-4d22-b67b-459be9443dbe} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 4872 1ce37e5bb58 tab

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,7059473525394005184,16878824735945313973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.linkedin.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5116 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.5.1026711800\1400198529" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5156 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2777c45-247b-4fba-9a52-b4dd081056fb} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 5168 1ce4b0fe558 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5628 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.6.1618158021\2040606406" -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5316 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e3c4065-72da-42cc-bf7d-b3aaec365f5f} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 5364 1ce4b567258 tab

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

"C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.7.1986545926\730108122" -childID 6 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5c115ff-3fc7-4ab9-beb2-620fc8385339} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 5460 1ce4b85de58 tab

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.8.1353631905\649071434" -childID 7 -isForBrowser -prefsHandle 5700 -prefMapHandle 5772 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42452ed3-5835-4062-aa72-2171728e6b94} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 5688 1ce48005958 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff811b99758,0x7ff811b99768,0x7ff811b99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4116 --field-trial-handle=2340,i,2758434366152481531,16399184323866473153,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff813d146f8,0x7ff813d14708,0x7ff813d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.9.715873631\583082889" -childID 8 -isForBrowser -prefsHandle 5880 -prefMapHandle 5824 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1f54f18-75f8-4b88-8e79-e3f713d99077} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 5952 1ce4bb80658 tab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\u6zs.0.exe

"C:\Users\Admin\AppData\Local\Temp\u6zs.0.exe"

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe

"C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 584

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5392 -ip 5392

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8408 -ip 8408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8408 -s 1148

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5876 -ip 5876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 2020

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 138.91.171.81:80 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
GB 163.70.147.35:443 tcp
NL 142.250.27.84:443 udp
GB 163.70.147.23:443 tcp
GB 163.70.147.23:443 tcp
GB 163.70.147.23:443 tcp
GB 142.250.178.14:443 udp
US 8.8.8.8:53 i.ytimg.com udp
US 52.167.17.97:443 tcp
GB 142.250.178.14:443 udp
US 13.107.42.14:443 tcp
GB 163.70.147.35:443 udp
US 13.107.42.14:443 tcp
US 8.8.8.8:53 www.facebook.com udp
DE 20.79.30.95:33223 tcp
NL 142.250.27.84:443 udp
DE 185.172.128.19:80 tcp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.30.79.20.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
NL 142.250.27.84:443 udp
NL 142.250.27.84:443 tcp
US 138.91.171.81:80 tcp
DE 144.76.1.85:18574 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
DE 185.172.128.79:80 185.172.128.79 tcp
DE 185.172.128.109:80 tcp
HK 154.92.15.189:443 tcp
FI 109.107.182.3:80 tcp
NL 45.15.156.209:40481 tcp
US 20.12.23.50:443 tcp
US 172.67.152.52:443 tcp
US 104.21.58.31:443 tcp
US 52.165.164.15:443 tcp
US 8.8.8.8:53 152.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 20.12.23.50:443 tcp
HK 154.92.15.189:80 tcp
US 20.12.23.50:443 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 modestessayevenmilwek.shop udp
DE 185.225.200.120:15666 tcp
US 104.21.78.62:443 modestessayevenmilwek.shop tcp
US 172.67.152.52:443 tcp
US 8.8.8.8:53 62.78.21.104.in-addr.arpa udp
US 104.21.16.152:443 tcp
US 104.21.83.220:443 tcp
US 104.21.58.31:443 tcp
NL 94.156.67.230:13781 tcp
DE 95.179.241.203:80 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 138.91.171.81:80 tcp
NL 94.156.67.230:13781 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.215.113.32:80 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 7e83a9af-8a1f-4417-9467-e4e90a0629e5.uuid.statstraffic.org udp
GB 173.222.13.40:80 tcp
GB 96.17.179.193:80 tcp
US 8.8.8.8:53 udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 udp
GB 142.250.178.14:443 tcp
US 8.8.8.8:53 udp
N/A 13.107.42.16:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 142.250.27.84:443 tcp
US 13.107.42.14:443 tcp

Files

memory/1436-0-0x0000000000360000-0x0000000000768000-memory.dmp

memory/1436-1-0x0000000000360000-0x0000000000768000-memory.dmp

memory/1436-2-0x0000000000360000-0x0000000000768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 7601feefc634544c794288cc77ddeb34
SHA1 0ef9c88cd95f2d7a8654ebd31f1f118aa329c971
SHA256 9febba000745e6efb633da91bef9cf8fff26337476f448a69724d0a41c9f85de
SHA512 04ccf071befd0c35f8eb8f4e70d48a01f733af28fa9f9b16a1aeaefb450a59daed09055faff0aa620f14c38ec4bdbe718cce4b3f34fa2f2c60ddbf01083a9a19

memory/4172-19-0x0000000000B20000-0x0000000000F28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 7ced1bb243ed005bb0abdce463e8ce7b
SHA1 5866fd17dae054b91483ff7d6cc0b6096b507fe8
SHA256 5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c
SHA512 915794531d829e050146e1b893c826fd75fb2b2677d8dc21c38ceaa26f28c67bf5e50524e057d5c54899dba5895e979ebcdd3c4372fd797cb558d8cb9b8321e8

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 5d55464657fa1ef32579ce270054f602
SHA1 744a27f68353560f03ca4966853659431039de96
SHA256 8684f5f4e5fcb8981567eea5e62047ba032a31638328a351cc8f81c769e2ae8d
SHA512 7c1b9087e69ae8fd9eda454a3cbb3129d79d9dd625c2496623ad45d39c6fe812ca6a70edf1f7ba624f42d7223a4f68a2167bce57b7ebf1b3950e9db9fac6ec29

memory/4172-20-0x0000000000B20000-0x0000000000F28000-memory.dmp

memory/1436-16-0x0000000000360000-0x0000000000768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 28df16971f8111a68d668efcf1f283ae
SHA1 c4658ef871470af2eba89301c05c24d284763bac
SHA256 8172bd09f31f1cbaf4194afe4bd6ca6330562f6e8440ae3dee9e8baf01b79484
SHA512 e3f7d7efeb29bcbeb15548faf052a0813c579c1565d243e3955adad6a68bce1cab2ccaeea2a8e30989671bc0005d76a59fc60d6613dfc8f7600bad509abe6abe

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 e385bbbdcfb793d8f255bc029b68a4f2
SHA1 c942ac15574aa445e07a36bf2a1d05ecde678ad1
SHA256 c90aaac243c12a6130c7480450afb9f37f015ba26f460328019fd77ae4a1692f
SHA512 687837dbba2e6b7bca2c98cb819984b1e9ea1f1ed7ecf9776e70312818fe489d3379db3efc8ed78a8f00ecee69ebbcc47b2f91087dc561a75a962bc704b393e6

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 1962bccccd9d20f5cfd0540d8eee4f50
SHA1 ce6b383681f50a118df07e1d8a50e567b41769bf
SHA256 d4c03982ea29f20d8aee62bfe5230ac6426331858f4d45f54ed954a4bb1b7947
SHA512 7fb340cb754f63fd2954995ec3cfeea96ad11d21b9c43d15d1ca813fdfce4fa6e586b3a2fe6bfa905d2259147d44cd3282e8cccddaf0320140b2865a65ca94eb

memory/2480-39-0x0000000000660000-0x0000000000B2F000-memory.dmp

memory/2480-47-0x0000000000660000-0x0000000000B2F000-memory.dmp

memory/2480-46-0x0000000005310000-0x0000000005311000-memory.dmp

memory/2480-45-0x0000000005300000-0x0000000005301000-memory.dmp

memory/2480-44-0x0000000005360000-0x0000000005361000-memory.dmp

memory/2480-43-0x0000000005320000-0x0000000005321000-memory.dmp

memory/2480-42-0x0000000005340000-0x0000000005341000-memory.dmp

memory/2480-41-0x0000000005330000-0x0000000005331000-memory.dmp

memory/4172-57-0x0000000000B20000-0x0000000000F28000-memory.dmp

memory/2480-40-0x0000000077334000-0x0000000077336000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e78a999c66ea4c80cb75d027c2a137aa
SHA1 e7509f01d938972c0645c277de930f94eb08faac
SHA256 ec8ff8224a7e5c0573fc5b0c3eb5c38b2d2ddc058cc7fe45917d9941cdf92d22
SHA512 f7c0fdc39150daf27de3513f105337e7163b6b19fb9f5d3df93e688a78b9bffe1cd7f3422e0d2542e83a3cd7f88804d4c264708fa22b978c7d739da271fed0c3

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\cbfcbf

MD5 ee17c20451162656de91135de8a12efa
SHA1 f4ba5c21325f6710427359cffeeb565f0ce25c7a
SHA256 4633538f5f844578d773ef70aa5a6f29a266626f1ab87844e808b6163ccffbb4
SHA512 11d12056af55d588bd6c1e3a2a773fca93a02b2953bed7d34d80c680b123e51715f9aae8c6f8496e6582d60d2812fbc57bccc85d8206d68a0aa92b0b3f7d4680

memory/4848-60-0x0000000000EA0000-0x000000000136F000-memory.dmp

memory/2480-61-0x0000000005380000-0x0000000005381000-memory.dmp

memory/2480-66-0x0000000000660000-0x0000000000B2F000-memory.dmp

memory/4848-74-0x0000000005860000-0x0000000005861000-memory.dmp

memory/4848-73-0x0000000005820000-0x0000000005821000-memory.dmp

memory/4848-72-0x0000000005810000-0x0000000005811000-memory.dmp

memory/4848-71-0x0000000005870000-0x0000000005871000-memory.dmp

memory/4848-70-0x0000000005830000-0x0000000005831000-memory.dmp

memory/4848-69-0x0000000005850000-0x0000000005851000-memory.dmp

memory/4848-68-0x0000000005840000-0x0000000005841000-memory.dmp

memory/4848-67-0x0000000000EA0000-0x000000000136F000-memory.dmp

C:\Windows\Tasks\explorgu.job

MD5 21a84cc44b22390e6dd91d87eb711c57
SHA1 6e0fb0b8ec9963a545a7d15cc4b1efb648ce6ffa
SHA256 c9fd005280651ccaf2793fe3da6a31699a743cf80a088617b789d3f13eb686df
SHA512 3d41ad4f06501a9cb0a139ffdf9ee3b72574ad08c1ffc2fa3a6884d3972c6569dfc04a5e9bed74b74796e855cb38b41076937e6b5eb7e1ab598b0b976719d583

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 505ef09226fa36a82bd46dd58342a9f4
SHA1 194556a7b370da2d3f288fd2a001171e9409d280
SHA256 ecce11e63954fc5b7f051b7ad5a1e208f050d07991b37576b19e00b49368483c
SHA512 62edf1be4f3a421f917b15875a4a76be32cf686bdf7b126b29537365d78916fa5543f81029e63bef27d36f5a84b270d42b2aba259c7f9eb045aa8a43fb994d91

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 631fb45ff3317ea2c0bc7a404809597f
SHA1 7f6a85a77cc0dce8a3252814da98aca6d3a24ea7
SHA256 da03c338156dcfea475fe52c8a3d7b879ab0ca17f63adf3fe30c8828ae9c54b7
SHA512 cd4be2ba4b0398cd4c7065929a44b6293ad07ea2aeedddaae5a3d3a8cc90b2a35f616d576ee9a6a29a9b0f3bbb63334891c56f13fa6ea6101d8a7dd69e5f6994

memory/4848-81-0x0000000000EA0000-0x000000000136F000-memory.dmp

memory/3996-82-0x0000000000530000-0x00000000009FF000-memory.dmp

memory/4848-78-0x0000000005880000-0x0000000005881000-memory.dmp

memory/4848-77-0x0000000005890000-0x0000000005891000-memory.dmp

memory/3996-84-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/3996-89-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/3996-88-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/3996-87-0x0000000004F40000-0x0000000004F41000-memory.dmp

memory/3996-86-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/3996-85-0x0000000004F20000-0x0000000004F21000-memory.dmp

memory/3996-83-0x0000000000530000-0x00000000009FF000-memory.dmp

memory/3996-91-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/3996-90-0x0000000004F70000-0x0000000004F71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 05e73dcacaee0d8f77d7f85d181230b9
SHA1 6844dcb33287329f5095b21c84adc0ed8c236cdb
SHA256 c90f413fbab865a724abdf2c10bd61272c630d9f4929de034a35b1d7260374ce
SHA512 c4597da2adcaae081b95cedeb26398415d04650b0c73e665550e99e6f6570ec5b606a1a376262e49c00cb9f99a3c2a3aea64077aed1346e6d279f323f7083725

memory/5064-93-0x0000000000530000-0x00000000009FF000-memory.dmp

memory/5064-95-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/5064-100-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/5064-99-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/5064-98-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/5064-97-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/5064-96-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/5064-94-0x0000000000530000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1

MD5 d769ca0816a72bacb8b3205b4c652b4b
SHA1 4072df351635eb621feb19cc0f47f2953d761c59
SHA256 f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2
SHA512 cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

memory/948-110-0x0000000072E10000-0x00000000735C0000-memory.dmp

memory/948-113-0x0000000005840000-0x0000000005E68000-memory.dmp

memory/948-112-0x0000000005200000-0x0000000005210000-memory.dmp

memory/948-114-0x0000000005690000-0x00000000056B2000-memory.dmp

memory/948-116-0x0000000005EE0000-0x0000000005F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqbynjie.z4z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/948-126-0x0000000006100000-0x0000000006454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 695dc6d67a0645e7405bc1f04e5b57f2
SHA1 4a9e7a305bcded681948a9323eb2fd5e2634dfa0
SHA256 e13fc11cef76ee100e3e100bfb85405ba3333f2415c0582f605dad99662f28ba
SHA512 9ff62f7492bf7d901c59744c7ca55f4fb868c47451fc978fa4cdc49aa6f67b2ac8e9aaab1f94f8289463dcfe2b1e9930cbe4a5a8b631bc02a257f4d11c9d334c

memory/764-128-0x0000000000EA0000-0x000000000136F000-memory.dmp

memory/948-130-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/948-129-0x0000000006540000-0x000000000655E000-memory.dmp

memory/948-115-0x0000000005730000-0x0000000005796000-memory.dmp

memory/948-111-0x0000000005200000-0x0000000005210000-memory.dmp

memory/948-109-0x0000000002C20000-0x0000000002C56000-memory.dmp

memory/5064-131-0x0000000000530000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 561bb9fc51e5a9e1494bd249c73d0dad
SHA1 4cb478d1ed0b0f209d20745e80d565b9f9c0f644
SHA256 06a9e16f252a79e5799cf6b3a5267282e620985488dc8584d84826b1510f8cbd
SHA512 133e93f91ba4e5cdce5c1897d8befbdcbc36704813fff5bcb421ed15674b71d38bc02c5e789c24c0b909651b826bb4ae704412e1ce979aaeb9e17232c4966059

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 f005006055c95f166bfe932b259c94c3
SHA1 af0a831cd7b5689344a799f84d5784567a1d07d8
SHA256 04404d6c3490d3f3b54c3f3ec303e97874f0f451c3288faa79797747786827fa
SHA512 62c297c6d0158750a2a8610edf893ed77c99f0ecedb79db0d5d485eebc4e5ec346b331676d7304591b4a708736ca3310d5c5ece79d530f240a4d27027d5f169e

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 fdd3df7f096b785f22f290b9d86ce8fa
SHA1 d4529ff693646025479366c29b6e1a8af61c0a80
SHA256 da41933c2b4c3b237c994c112381cea392f27fb24387f9ddef7922b3c19baf37
SHA512 532cbaa4a0e0cc5fc02a51ac781cf3ddf5aa02623cbc9621a994d5d3fbdf99459d03977aad4c109e5954a5802ecf53624e1ec3206167df8f93b60025e3ab436c

memory/764-154-0x0000000000EA0000-0x000000000136F000-memory.dmp

memory/948-158-0x0000000006AC0000-0x0000000006AE2000-memory.dmp

memory/764-157-0x0000000005720000-0x0000000005721000-memory.dmp

memory/764-162-0x0000000005750000-0x0000000005751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0bd5c93de6441cd85df33f5858ead08c
SHA1 c9e9a6c225ae958d5725537fac596b4d89ccb621
SHA256 6e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2
SHA512 19073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d6e17218d9a99976d1a14c6f6944c96
SHA1 9e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA256 32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA512 3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

memory/764-160-0x0000000005700000-0x0000000005701000-memory.dmp

memory/948-156-0x0000000006A70000-0x0000000006A8A000-memory.dmp

\??\pipe\LOCAL\crashpad_2424_FWEJNMGJODNCDANU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 5d10830fe2ddb95ee3bb047dada1821c
SHA1 02cda0ed8e5c8afa16bd6d0cb6b23684741332e0
SHA256 4ed5337b14417f3cfefb318999146451c59c302d20b95a10fe597f12a6851678
SHA512 529f1438080ac943981475d293660d4651323a0af081061de279f2dfc93f38f1e5558cf037d4f448960f3724cfea8e7c99b73e6da01de352b9c5b59a382caa0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 bc16ebe41a9fc2938c4060992a92b0af
SHA1 1719af3e339b187d984a76437eb80cae5dc50e6f
SHA256 5874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae
SHA512 c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 f95d69b2f2144f948bf42daade0ea12e
SHA1 f62b22a395515498baefbd3a3620418e0427886b
SHA256 0ed2d983d93fc80a3774edaf2e1ee63c430f8e916cca3ade9bc28e876758cf8e
SHA512 3a0340ebfb8e1563f32b29b9627edb73118936da1f2f00bd41b73a59e175b0c0a557104382c0856ee088622f2861aa59a54ac3e5c2f3b8603f39aa23c83092ea

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 6fa8da75d989b56727453cf460e77c46
SHA1 30586ee72af0f62244cdb463b50f69163179e95e
SHA256 0ac26a42010ecdc55a94c1ab54fe6d38159b9dd2a139b1304c514be20c7c0abd
SHA512 d65eed44a18697d31adfd12b57c40997c0c52b3a19b5decc0b44d2c89d2b1d3ee252a947052f3d011a9c9f653000b9b576093c59d84901bf34c305617afc46c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3b4d526418b5b75124d106cb30a267e0
SHA1 126b56a63cbfe4e87c0ea9534ec61f829765174a
SHA256 d0a750a383c0f5672f4dddbe91ff5d919f07867f93024245400c154af78768c4
SHA512 00f805718f9c2f9029fd58c2f8795dddaf0163b14a7667df4ed84340baab12a0b6ed3ffa3051744738f501c4edb85552f93603012c65ed92395884e13848b7b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef465290a2c0e5ecddae315fd858ffd8
SHA1 2ecba805cabb3eaec623e503989c1d858e9362e1
SHA256 50276f1c381fa3465a47cef172eb77ff098b413dd6d0ce54c0b0f15f67afa4e5
SHA512 cf5b7293bb9c90b2ca57b6eaac7b9f2cfca230041723e1ebfda96c61ace1929e910cbaadcec73467c80e7706188ee2e86374cad2ef8c93fe05ac16f28b6fa763

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 f732dbed9289177d15e236d0f8f2ddd3
SHA1 53f822af51b014bc3d4b575865d9c3ef0e4debde
SHA256 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512 b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 66db3b3b098fa9e518af9cc10c1d884c
SHA1 94418d0d1dbb3768c70f8c556c09caf499c03ba3
SHA256 713469a881da2206d9876c9423cfdcc69cfb25c04f422068f18c2e23d8dd9d65
SHA512 97cc997182d5a2e87de78390d797a86d429c75135fd22f9808e58c74e38f8cb748b6834dec7bc8fdd740ab0ee3a0d7210c18952c87485b0d9b3249687f1e455a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 3e814cddc4c436d5cb8fef8ab6f823f5
SHA1 3743f6b82240ba36f41ea3bc1b46f2bf5565bf5f
SHA256 4bac334c77c1ebea7f075ced5ec0c46cd88b33206d3c66c59d7af60a8412811d
SHA512 9e2f65227fb33111b7cf5cb63b8bf730eb69abede26f58c4d4dcf055bca20151fb25c1d0fe0fffca979c28f380b6d0d3f927ca5f0013f2594f2cb625bb3022a7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 bc6142469cd7dadf107be9ad87ea4753
SHA1 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256 b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA512 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 f5c09daa74fe797208cb22477afd4d46
SHA1 36f453453dd89d58b9217c602e9e9b3c74ff937c
SHA256 918d9f8f642de802278f7e1fde19239430d48173581426708af4219f14f90fc8
SHA512 4bd80bffc88ff6d256a638c8333b5d687ae31229ae7d514c03c3c899cc29098daa570148682b3b20e2aaf2f3b8be4ce3c2fb6cfb55d837dc920d3ded8b1a4681

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 19086035cfd0ee455bbb7b1888dfc57f
SHA1 5585249b0eb114075b0e783d922bda61cd12023d
SHA256 03eb9ff8bc35019837a5aae5cfe8a1b5728fd83d02f64eae5f86059cff5de7f7
SHA512 451cbb62d8af110d35d326ad9badcc55c97f24d1d20cd900aeb32f0679d1b576df10a18ea161249218d49427dcb007591e4be4d359ea1d8a2c1027a2eeeb15ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0228409e8d7549ef6fde64078d8014dd
SHA1 3297f7a330a046ca70a088659fbc8bdf6064c35c
SHA256 194c9ab812f27f714299322818bc6f953573e528b52b9bcb0d5c1248c94cbe6a
SHA512 bdd379332addd36fa14b678bd76fd516d69bb1d3c7269e717d6c5e6d107d4e730d85bc46da4195da9571a1f0a5414dcdd68b42b5dabb848fe5a51e550bed67c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 90b93981c63ca6de9efc648fc481ba46
SHA1 ba00a710bc6f8b0335ad318b3f57ec3950dd4647
SHA256 b6129189d39b662f3cbf862118786338ad2acd2047ad2e77ab461c2cd080c012
SHA512 493b6a8069c4b2a75fb8e0e9ec323a6c6bd74411ca2b4d8e9263815c71d26925af9d314e3ea1ed24cf0df6a4c05690f9bd8deafb1759cc2def082290c09e326e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin

MD5 557a542cf9ddf3a3b38aafa5fb2569cd
SHA1 79fa5d7fccca11ab2c623245949fcc0ca6f100c1
SHA256 77bf90c51697bc3872bac2ec54f1c0e54e7f3496689d61e52738bffc92bf95df
SHA512 f35a18dcb8b0d47a605f2bad10a91826837ab5bee49a8f436db8b0a6fe9cce4c65155951736b469319e202090d2b089a1ed497ddc6192ffa541d91e06e3266a2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\99f58a2e-2d4b-4318-95ba-1314f516e107

MD5 2b80cdc5770fadacfbd4e8857997faf9
SHA1 0e29cb6d97227ff22f21938752d6f299586f9a5f
SHA256 e440991e07941d2a92ef17d8c3d32ad58be5df573f04e5449a673b3093ea6e6d
SHA512 033e6bcdbddc9ed0a038d4f646bf19d8d63c84fb38d66ba59707ef0557831c95ed3806052fa969c20fe46679e2f48397cdca30ce59848b5c4e3094aff0110ce4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 8549c255650427d618ef18b14dfd2b56
SHA1 8272585186777b344db3960df62b00f570d247f6
SHA256 40395d9ca4b65d48deac792844a77d4f8051f1cef30df561dacfeeed3c3bae13
SHA512 e5bb8a0ad338372635c3629e306604e3dc5a5c26fb5547a3dd7e404e5261630612c07326e7ebf5b47abafade8e555965a1a59a1eecfc496dcdd5003048898a8c

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

MD5 90a5919041dc84274e341fe5abf0532d
SHA1 5332d598fc82bc538e091baeafa0c33a77eb6be8
SHA256 bf0d63ed2a88e9fd6714f4440d40a7f22ecc7ece409df19af5425988ef9cd4bf
SHA512 3c65022175f0ebdc1e016b4d850befabc5de7766ab103bb3854a1a8b93a5f99f5d6909cf3b21557bf73bcb093ff5c51e77d0b4982a81e5650e0acc7be68da635

memory/3996-516-0x0000000000530000-0x00000000009FF000-memory.dmp

memory/764-155-0x0000000005710000-0x0000000005711000-memory.dmp

memory/948-153-0x0000000007730000-0x00000000077C6000-memory.dmp

memory/3996-152-0x0000000000530000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 4a1148611fdc335601447fa9abbb867a
SHA1 6b22f1867befed124662d3b9707022f56d371e04
SHA256 40aec5bc226f1083a2250800987db2c8bca5655dcf11db0a95e0c395221c5404
SHA512 d3610d095fbcd3b8f0a250e2fd985c8c253555434d624c7b77ff968b7ac98db3d4a9543e62b4a32b9862817587522de49552806109dd139a0da64b8472e361a5

memory/9956-591-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1e6cf131c43b6bcf9630814ea2c510fe
SHA1 d988668ccec30258c81886d0e579794f538d4394
SHA256 fdbffa21b325a9e3af2d1561001a0362319c29f2828dde9c8fb4591e67a62f4e
SHA512 fde77d8b6158cc3143fd89d4f5836f2455642866f059ae823f36eb63aa036c68258d869d50f2ad4c961a8671a5dbae31ee0fa9653bad4f2940915332271e53fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2dbc966588e70e21f00f96749e330f9b
SHA1 bfc77e7f87c521132d0ec1f2dec60a3ef1c21d2f
SHA256 7de512cc3492efd519dd7c11095414454c4c93291a89942e898ba4c80738becc
SHA512 403cfd68c8a0e1f39448b124f4de452acb5af354b7d25288b2854e42474edd787c72d9fbc5ae38da65160b618f7f4fcc1d0d0c59c876b29dd536fe5456b32f77

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 34ea8aa6f5dbba51dc6ff0fe4849b664
SHA1 ecc262b6059c87244c64097bbab99eb83f2bdf68
SHA256 bcb04063557894cf25059b3ab32d4daad852ba3e20d75f4a39d915ebd83b06d5
SHA512 96a08b847a1883e2c3c386ff34c1fb461008676a2ac212a8131e2e3fde9b56050c7c2dbdc2c1f0996ef58cbcf63da2d293735ece8afd7ccd11d55d2361925d80

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

MD5 90fdde078ad99c8ccdb2743fa720442f
SHA1 a64f788d860bb22632c0f724bff0e6069f05f7e2
SHA256 707875438614eec9e35614e3fe79995c82821cf5668bac35c4bfba6a534be7a2
SHA512 f050958dab5fa3012107680e1d925247ef7db1f1245a1bb0624751b48c6d3f7f8e2dd83c2d93a2562aac5294a6fe01b194db3bf65c687a62c1a2b698b949eff3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 02a77c93001e41241399d1ed9965ae93
SHA1 7eaa51c7e6e2f8c40805ea4c7a3dace13f5d58a9
SHA256 45abada96ab16d84b1c166bf22d9950f08b9288469a1ed100583e068cee491b8
SHA512 108254e8604dd4cbd7e2bf28eddcd9aee52aed63d07539eed07ce1f1fb1e754e6f8000e106d182e690ff2c80f0b84e44d85d20726e0328fdda52ad87199437a7

memory/9648-693-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 64c606b6684c6026cfbcafb2d3959dd0
SHA1 434c5299843831f42268b6d5fcc3b7b096944267
SHA256 8eb2b5605f849ae81b34ab90464dfd888427df29b56a511201d63619c7186dca
SHA512 53a629017e52b731e541b595d29a07d79e4c329c07b3ffdde04bfdb060470f408106adbe98836384bf423c34d579d54ced12bd10b25e9a1a7e73def4d1270200

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5819cf47e522719f1f3a4d2d0cf4434e
SHA1 25b8b1bea3570f4ad4556031155f9c0c77ade099
SHA256 a3e7a7a531322df83e63e7477b54ee8d80a9161555a20db2654f21f9cc1185a7
SHA512 4762cd9e3f6ad2a1e7ea011d99fa486b2bdc66d22407585022d3e9f03ae40ea8f18387c3feafd0c84a7159dd074d9023a2bfd719b12e017eb517b135fd328817

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 c2ef1d773c3f6f230cedf469f7e34059
SHA1 e410764405adcfead3338c8d0b29371fd1a3f292
SHA256 185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA512 2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

memory/6712-747-0x0000000000BB0000-0x000000000113E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 73ec935b01879ed09e99c74751bb132e
SHA1 db1cee88c1657c21fbde7beef300c72dedb373f2
SHA256 7cd702ffc60c728fb46e272c7ba9d35e9c0cc917a3f9641faf69874926eb61fa
SHA512 6a22f6fd3e294ee1441d8a467f60bc2a97a0dd3b5f55f054a7b5d1df2c1d2d4eff2064d592514e41e05f2f53d2fcfb77b1bbab808797a78dea6fe6bd86333a89

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

MD5 5baef839ad863ecfecc6d8cca8125643
SHA1 a5ffdd22c0ee2d0251ae922aac823b7464ed783d
SHA256 b19f7909d6a723d6212e7051a3dd1242184063031117900b3f0d1be06391f2df
SHA512 8a144dcdb494a4358128382f35b3d4403b7d1d6bfeeb9b553de932b1a121c5b1f119ea050d5b4662edf263d837ab1f9d587a2844fba73ab764954fd98e71bd32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 13e1355d7a2e4433db473fe728cc928f
SHA1 cd7a801654dc13b8e3f73ad18c4f190532c8b8da
SHA256 26b7075d8114525fe6fb4f15e0a5a50ba0417f3297adfdf5e8cf53237a569a98
SHA512 3aab0cc9b7e928014e0dbdd72b9048390fd470519e931c2ac7730bddebff67a580052f6ed7a37272c3b06722cff3c71edef770c727e6d96d56ef66f5da2f094d

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 c952f93c8c8f825093f1696918f2b880
SHA1 bd4ce37676dbdaec14f2f62e0e772868b6127583
SHA256 8db5ab83c129cf0e6eda8aaafd9affc48cc961871139a9524145a4d77bf9705d
SHA512 ee8ef5d7935c35bb112c255e6e7a258b276feb594a162b003918a9ca596302be13616d1cacdc73691ca868e6bba2f144f386e855cd19c7770b126f35c095ab3e

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 18c90c32b65fcf0be2c29f5c74399c60
SHA1 7db694f61f9655cd1926312a9263cc86cceecc7c
SHA256 2af342c0eba6729528e71f57feac146fe9505e5d3100fa0d6dee0557ad36fd02
SHA512 1eadd18974d46c382901427a44f1d4b5df57a3031ac00ec75a9c8e230217c345c64f7e415ed8a67c710355969dfcd0db1e11d383cc2c949c1c9c2db61f49f1e4

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 5bf7e4d63d0d5484c34cfc3b69d64160
SHA1 bd6795a77b99c75dac8b48c10e70dbd3dad577a7
SHA256 8d9de383e87838472c5b9a308401aa9248b5b0c6de6e13c87e6941e37f035087
SHA512 823a02d5ab187d70db898cb3c9efccf559dd1810dcf41e73c321a8f03f370fa5d1e04243af7adde9fe98149a335dabf03609d8f90e2b19a64c67f8513779bea2

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 c77c9596b5fb64e03ab6d05488912e5e
SHA1 78b4bc03aebf37f34da73ecad0edb4f804c2ae57
SHA256 7e820572df291b20f0564bc8344fa8b13ff6132467386980642a487ca149ecf8
SHA512 8c575d1c149d125adf4c07fd96fd8ed186b9483f720fec5f891a8afe9aab1cd7fbc5d1adbcdfa1bbfc64c51c7f8c57b21330e8f6cf14d7b7e748da16afb24079

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

MD5 982aa1688e29cedfd2432ed2bd74f0f6
SHA1 b8d3321323114c5248565b5a7648cb93c9e11efd
SHA256 99ebc7010d74b3c98908f83a81a9bf31c99597437d74b44056fc5eabde14caa2
SHA512 3c00cb894f9bd02e59f001eeb98bf61bf4e11910d9e74ad4df83b43a98fbe9b2ba3d9cea389a473c824e7769b46798ca8008909251e7ac8620584ca484ea4de8

memory/3996-881-0x0000000000530000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Temp\u6zs.0.exe

MD5 391a2ee96a473578a0545576bf1562c6
SHA1 b1f0cd53e00c191f5d403c33674b9a6be47dc7d4
SHA256 6137a024d3889b6ddab004279321339ad8f070aac94126c19851f80c9ea55290
SHA512 618be4fb77fee054087181cb388f88aec7c48e42b4c914a3fc3354406810154aed306c3ca54ae7c28bf38d616cd7c5577f501f5a61e41cefb3214caa3f6451b0

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 156ea0c2f89a242d9611843d2eccd725
SHA1 40e37fe89ddcb145c0e5a181711c082cdd0da2a5
SHA256 8f0f32b4d597772e99d506ec15a563871b80e342a0cf298ce2e4589b59de44dd
SHA512 d38703a2991c17ca5ba92506e29e82019bf644984728dbd06586adfb6b06f1eed11892111c1da95d5b19697e302a16559ea7f882bdac2dbc5f1bb64991c528a2

memory/9908-956-0x00000000007A0000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 958359a271a65976ffdad1c8d0fb3bf3
SHA1 7ae758ac9f0cc2a79297f51217f7687c39edd01e
SHA256 3b030a4a1924e630409e6f153006f321f903b9d41e05caab3d4246865fbf0f42
SHA512 46e1b7349531b4addb4a189705ee0544d55556a20cfb55460b3f45922d77629c17c83ffbfc30556693bae84a0e2cd834f84f9bed30f3445458b7026ddc50674e

C:\Users\Admin\AppData\Local\Temp\u6zs.1.exe

MD5 da4e28b8c81f61f5f9b0a5a72879a89f
SHA1 c76a3dc54ecae665ff674f620f420789d021e9a6
SHA256 94df8194ceeefcfc68264b2895251eed009cec290c8a24ef9a50c52e65208566
SHA512 fa22e455a8d2b176d68a144e6871e4d3b69ff3b96c2a7f5343d5093fd89d456fee24e8ad1160c3883248c2961652e03cccfa123bbdc1a7d425130e6a59073885

memory/9064-1000-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 354b58dc470de58630bc6fbeb4c971e3
SHA1 ae5d1216033ab1b8534fabb241d0147aeebdb8d9
SHA256 b03023db1b8b80154effdcaf22665a530d1e266558b400cab03b1843e52f4ee6
SHA512 1386854166aafb84881b7a62ea20c22d4bd02f67536be897bd248218125193f993303a9b35be0bd350ae34c4a2a321ef6e6b93f80d250c654a671d78e1db997c

memory/5876-1026-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/5392-1042-0x0000000000400000-0x000000000048A000-memory.dmp

memory/5392-1050-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3496-1073-0x0000000002D80000-0x0000000002D96000-memory.dmp

memory/5028-1087-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

MD5 828e886e326dc9d60c6f7f854033b6b8
SHA1 f3558b441ea4ed58b498880daaef534188b53f2e
SHA256 b656ddd87f76910df149e32a532f00bdad18d8317f25c765e5a2c0374e58f9ea
SHA512 712f31ccc7643c61472f45b787dc17f715e803177bbb0b1371b359c3809694f4e74e2206bd2d3144ca1a355411f3848ff1cf44ec6a00d1556dee42e98674d360

memory/6712-1119-0x0000000000BB0000-0x000000000113E000-memory.dmp

memory/4284-1131-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1123-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1133-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1139-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1137-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1141-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1143-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1145-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1149-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1153-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1151-0x0000000005730000-0x00000000058D5000-memory.dmp

memory/4284-1147-0x0000000005730000-0x00000000058D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 8b6b30a99dc327b2f05f43a5d4239802
SHA1 7e1d83b9ea47dc81d6f4e1878bd56ccd0d872c06
SHA256 0cddbf55262af00c56c7c383c9614a49ae7d6955c796ee96e7edaf389c67f2c5
SHA512 165e9aa7b0c597dcdc1863957da0ee2ab94e584a0705d8e953f487cfec15d49b0fca731437773e654c69d0a67f719617223de3644bf219a3fe360668b821c74d

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 066ca30d992d63f415a12672592f2fbb
SHA1 2c283bc9b28f192b43f0df7bb9c05ee2d4c731ce
SHA256 da00c564f5d5b72e8e86c352694607fb4e772a358486ab921c80d0fa83578bab
SHA512 dffc36b69ca2a5af767e034164d2542296703b9d9d125957b50250e957cac907dd66cd06558b2822bbdf2c544076cb36b82580cf9e2123f50af49ad552cb3ff7

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 5ea776e43112b097b024104d6319b6dc
SHA1 abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256 cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA512 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 87579f13b80cc00af83b1555dc3aeaf5
SHA1 e046e0e3c2791baee896ec8a3b443067cb227928
SHA256 b83e794befa6f462e4936a1bc8a2b9fd073e5bf03d82d3379720faf33730cc35
SHA512 77d4ee856e397fea20b20a5982d88b2739d7184a923f977882e5f236b6b67767a5c25ce3118072471c5f8a25f4dbc0f39d3d68dc8f69de6cbd5dc5967e21845f

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 716ee37fc543de9617179d1a8313642a
SHA1 762f61d59ac5164bccc7e7cb3d6c6f0069be5538
SHA256 5cc56099110950178bbfc060bc949cf9dd857e2cc98f0eabd23482f14c0de07d
SHA512 a4cda86bc425ea05660dc57a26ac034baadb9d09fd83c040db11bf918949eac380998566110f2e4c9e4253c58e89a701b0a04521c49dee6ba49c397b8cfd2004

C:\ProgramData\mozglue.dll

MD5 ef919390985840323767278f54d55b62
SHA1 5675230a87a23b2e6f0ec08d16eee200ed308994
SHA256 a4f619a784b903541cdc5d73ff471d73ac44201805d41ae02b6e81c22726b26d
SHA512 1c1d2c1fd1b84e74ab875c23c20fe9260f53218ef3f1190419bc3418201f5d503bf546b89a4158fc77a63e97735670b63f0628bad6aa0e5070ede2d49277a5f4

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 01:33

Reported

2024-02-06 01:36

Platform

win7-20231215-en

Max time kernel

2s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe

"C:\Users\Admin\AppData\Local\Temp\5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explorhe.exe" && timeout 1 && del "explorhe.exe" && ren cbfcbf explorhe.exe && C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe && Exit"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "explorhe.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\system32\taskeng.exe

taskeng.exe {5CB6C6F5-5DB3-4A5F-ADB8-866F3A7CF289} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

"C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2052 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2060 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2860 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2864 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3460 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.0.483994247\1504771651" -parentBuildID 20221007134813 -prefsHandle 1168 -prefMapHandle 1160 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddbec95-336c-405e-be25-a193e23b0bf0} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1304 102d5558 gpu

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.1.689836615\1716085611" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc087bfd-9239-420a-b2fa-019bc309b244} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1496 f4ed058 socket

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3596 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.2.40340722\866276406" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dfab82c-1613-48ec-9414-89fa104fe05f} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2104 19990858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.3.732219762\945432769" -childID 2 -isForBrowser -prefsHandle 1964 -prefMapHandle 1792 -prefsLen 21689 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e25208a4-5cc9-4fae-98fd-8968856bf7b0} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2016 d62b58 tab

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

"C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe"

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.4.954640484\1885381513" -childID 3 -isForBrowser -prefsHandle 2712 -prefMapHandle 2708 -prefsLen 21689 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a1bbc5-3e8b-4efb-8a09-17eb21314358} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2724 1ab37858 tab

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.5.249623073\90482466" -childID 4 -isForBrowser -prefsHandle 2752 -prefMapHandle 2740 -prefsLen 21689 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {072b45f1-680e-46bc-b4c5-55a39be87187} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2836 1bdbe858 tab

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4220 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:8

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.6.13730702\627294238" -childID 5 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2019c49c-b2b5-412e-be32-ef6716773f43} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 3452 1d03a958 tab

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.7.1716002336\513629790" -childID 6 -isForBrowser -prefsHandle 4180 -prefMapHandle 4016 -prefsLen 26345 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e9e57b8-7c8b-4554-b572-7f3c3a492f58} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 4192 1eef2b58 tab

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 592

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4760 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4876 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5008 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4664 --field-trial-handle=1128,i,3856922413345853458,2101642175816423645,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\u3c4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3c4.0.exe"

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe"

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6919758,0x7fef6919768,0x7fef6919778

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 96

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 604

C:\Users\Admin\AppData\Local\Temp\u3c4.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3c4.1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\308111660363_Desktop.zip' -CompressionLevel Optimal

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.8.1002236170\1194091976" -childID 7 -isForBrowser -prefsHandle 1988 -prefMapHandle 1996 -prefsLen 26905 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c24df5f7-33f3-47b5-bec5-26dd3ca17db3} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 3384 1ce7ab58 tab

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.9.85250400\1665915650" -childID 8 -isForBrowser -prefsHandle 3036 -prefMapHandle 3048 -prefsLen 27382 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c54443-1d0f-4ad6-89fd-237b4c68d94f} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1052 102d2858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.10.1330194650\1303596237" -childID 9 -isForBrowser -prefsHandle 4496 -prefMapHandle 3196 -prefsLen 27382 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e6d6cbb-c79d-4400-9c03-46cec2d2eb50} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 4488 19a6fe58 tab

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x580

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.212.214:443 i.ytimg.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
GB 142.250.178.14:443 www.youtube.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.200.42:443 content-autofill.googleapis.com tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
GB 163.70.147.23:443 static.xx.fbcdn.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 13.107.42.14:443 l-0005.l-msedge.net tcp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 44.227.167.82:443 shavar.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 static.licdn.com udp
US 8.8.8.8:53 www.google.com udp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 static.licdn.com udp
US 8.8.8.8:53 static.licdn.com udp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
GB 88.221.135.104:443 static.licdn.com tcp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 i.alie3ksgaa.com udp
NL 45.15.156.209:40481 tcp
NL 94.156.67.230:13781 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
GB 172.217.16.238:443 www.youtube.com udp
DE 185.172.128.109:80 185.172.128.109 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.42:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.212.214:443 i.ytimg.com udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
GB 163.70.147.23:443 static.xx.fbcdn.net udp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com udp
RU 185.215.113.32:80 185.215.113.32 tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 facebook.com udp
GB 163.70.147.35:443 facebook.com tcp
GB 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-1gi7znek.gvt1.com udp
CH 74.125.108.201:443 r4---sn-1gi7znek.gvt1.com tcp
US 8.8.8.8:53 r4.sn-1gi7znek.gvt1.com udp
US 8.8.8.8:53 r4.sn-1gi7znek.gvt1.com udp
CH 74.125.108.201:443 r4.sn-1gi7znek.gvt1.com udp
DE 185.172.128.79:80 185.172.128.79 tcp
DE 45.76.89.70:80 pool.hashvault.pro tcp
NL 94.156.67.230:13781 tcp
NL 142.250.27.84:443 accounts.google.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 ponf.linkedin.com udp
US 8.8.8.8:53 ponf.linkedin.com udp
CH 172.217.168.67:443 beacons.gcp.gvt2.com tcp
CH 172.217.168.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 ponf.linkedin.com udp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
US 144.2.9.1:443 ponf.linkedin.com tcp
GB 163.70.147.35:443 star-mini.c10r.facebook.com udp
NL 142.250.27.84:443 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 172.217.16.238:443 accounts.youtube.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
CH 172.217.168.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
GB 216.58.201.110:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 94.156.67.230:13781 tcp
GB 163.70.147.35:443 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net udp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 static.licdn.com udp

Files

memory/2272-1-0x0000000000120000-0x0000000000528000-memory.dmp

memory/2272-2-0x0000000000120000-0x0000000000528000-memory.dmp

memory/2272-4-0x00000000006D0000-0x00000000006D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 7ced1bb243ed005bb0abdce463e8ce7b
SHA1 5866fd17dae054b91483ff7d6cc0b6096b507fe8
SHA256 5ec0957697ef3692607bc8a8d00bdad0ff86c129ead5fb698c035f4d6b47c69c
SHA512 915794531d829e050146e1b893c826fd75fb2b2677d8dc21c38ceaa26f28c67bf5e50524e057d5c54899dba5895e979ebcdd3c4372fd797cb558d8cb9b8321e8

memory/2272-16-0x0000000004970000-0x0000000004D78000-memory.dmp

memory/2704-19-0x0000000000B90000-0x0000000000F98000-memory.dmp

memory/2704-20-0x0000000000B90000-0x0000000000F98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 7111602f267440dda877002924871f8b
SHA1 61d1748a53257c701355a459aface2bf01899162
SHA256 16d813f787ec367936678e38db7a5589a1da13e04126de67ce190c7b0e1a1bfa
SHA512 f31ddee0dd381868857ace70e8b9f09805cbce994fd1b6f3d6dd31468639799ed63c55ad0e024b23b7c2c559f49eba80aa7e5f7264793edacd8edb20a5033df3

memory/2272-15-0x0000000000120000-0x0000000000528000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b5caf29fb36c8ef803822539a78b8787
SHA1 17afa77adacf90667eeb94ac2746abf77de3588f
SHA256 75a24250c876e854cea38f73d64054e06e3a28d230e234bb073f533bf974ffd9
SHA512 55169a418711f3772e9b1a7c983e71aae07dba72be0ad7d8c13f4cbb5a65ccdc4fe296b58546253d3078d6d2171b0529a0894c1bd780034acb8f8c187bbdfa13

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 aabdedcc858d75de2d067b4ee4d7b472
SHA1 1b7f94318e28e2057eaa3ade7203f9ccbc46c7e6
SHA256 f04c7235be5186e8d8d98b08d0fca68d736359a4a66b8125e258d0674845380e
SHA512 cd256aa0b0d131d242c064761fb618772d4a4226575127bc60b84bb584fc438da1b546497d6138ede948b9f4032724f18f695956aedf0136b6c878ea6c50cabe

memory/2704-40-0x00000000049E0000-0x0000000004EAF000-memory.dmp

memory/2704-42-0x00000000049E0000-0x0000000004EAF000-memory.dmp

memory/2596-43-0x00000000011E0000-0x00000000016AF000-memory.dmp

memory/2596-53-0x0000000077270000-0x0000000077272000-memory.dmp

memory/2596-54-0x00000000011E0000-0x00000000016AF000-memory.dmp

memory/2596-57-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/2596-56-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

memory/2596-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/2596-59-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2596-64-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2596-65-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/2596-63-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/2596-62-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2596-61-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2596-58-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/2596-55-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/2704-66-0x0000000000B90000-0x0000000000F98000-memory.dmp

memory/2596-67-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/2596-68-0x0000000000E70000-0x0000000000E71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\cbfcbf

MD5 01b5a74e1ba5429e94d28c0746d80ff2
SHA1 063ac7c8c3cf2bc49e47d5acb04f792b48d99638
SHA256 915489d14132a7a27d2c1dfab930caf7688d7cd8c4e4b45a0adec82fb135ad6f
SHA512 1eeffe663d5736c3cd2a30616cf8ce2e4d74e9c1a5fb66adffdd59e8dd0a88e31403754c3e37492d3f76cf01ac378701d21cc3a9786129e59e839ccba84d4a45

memory/2596-73-0x0000000000F80000-0x0000000000F81000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 90cf9c15e385d2de8888ed763f7818b0
SHA1 71a6d587efdbc37730d64ecb84437b9c39fe8c56
SHA256 2c8dce0616888e841c272a2b45fd94dd2b08573e71593d28cb70d52b37f85f8f
SHA512 2c05e9bac932c3bb24c9c5b41da33a13d3784ae7d13f69b69b09d82f4ba2643c88a43f01fda9af53578cadd88d0d30e2c00cb3594ac52c097084e0d434c70430

memory/2596-77-0x00000000011E0000-0x00000000016AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000958001\amert.exe

MD5 497e8ad1f20ef80774226fe113debf56
SHA1 45ffcf3156516019b3f58a25ec786fa823b6852b
SHA256 0a8065cd77e91bbcbd8ca3ba5ed77fa807c5a3159b36d7b5ae56093df3a732dc
SHA512 fb1c4128e8f7e8d781f2efd7fed37dac965a2197901b277cb82fcb185c960c4d67e1f33841e43dd45f1d653ad0aaf45a62a84c06941c8896f71a4131e3605705

memory/2008-81-0x0000000002140000-0x000000000260F000-memory.dmp

memory/2596-71-0x00000000009A0000-0x00000000009A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 16d63fdae1fe5b462afdf28698d8e015
SHA1 30f68d25f658bf39fb264102394ee0b7fe0498fa
SHA256 edd5d948fd7ff62acfa5bf217054b75ef2d1f7802aa45a7048539db6d988bd8f
SHA512 7b241d4db7309d61265c6ca6dfc0f46a2cbdffa78e3d0362dc2389e37276d501b42d882f23d99246f8236184605f45801bb99e35f3e40cb623c0cd8cdc187b06

memory/572-82-0x0000000000A00000-0x0000000000ECF000-memory.dmp

memory/2008-83-0x0000000002140000-0x000000000260F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 ee50a01d0d664f827a12c5153b3aa5fa
SHA1 aeb6e581929a5be833a6bef6b22fff8fdc799f99
SHA256 55efbc5dd534f0479d11179d4bd680c4177c1cf0cdc69b4d88da7447a2cea17b
SHA512 9d826869a95c3a58fd98f9c0ede9841573d6c29437a71b2009e7adbee886c7ee1fb94c5ec5bceecd9fa1ca4f666c126eb4c9731f0b0801b0b0fc4e659f737732

memory/1716-85-0x0000000000A00000-0x0000000000ECF000-memory.dmp

memory/572-86-0x0000000000A00000-0x0000000000ECF000-memory.dmp

memory/572-87-0x0000000002390000-0x0000000002391000-memory.dmp

memory/572-88-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/572-89-0x0000000002320000-0x0000000002321000-memory.dmp

memory/572-90-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/572-91-0x0000000000910000-0x0000000000911000-memory.dmp

memory/572-92-0x0000000002340000-0x0000000002341000-memory.dmp

memory/572-93-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/572-94-0x0000000002310000-0x0000000002311000-memory.dmp

memory/572-95-0x0000000002330000-0x0000000002331000-memory.dmp

memory/572-97-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/572-98-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/572-96-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/1716-99-0x0000000000A00000-0x0000000000ECF000-memory.dmp

memory/1716-101-0x00000000026B0000-0x00000000026B1000-memory.dmp

memory/1716-102-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1716-103-0x0000000002770000-0x0000000002771000-memory.dmp

memory/1716-105-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1716-104-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1716-106-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/1716-100-0x0000000002690000-0x0000000002691000-memory.dmp

memory/1716-107-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1716-112-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/1716-111-0x0000000000590000-0x0000000000591000-memory.dmp

memory/1716-110-0x0000000002720000-0x0000000002721000-memory.dmp

C:\Windows\Tasks\explorgu.job

MD5 b95754080cadf42df76a467de180d20a
SHA1 859337758c43ba6f90f3b3c5f71b8fb27bf61713
SHA256 56e50f3167c120f009b2092fbc74e1d10eb68b1fba8f1d1b8a3afdb112ee357f
SHA512 16bb8aac7fab522381d83474bcfbb8253996d0b41340f7761048bd568790c6d32fdb4ede11f468e6cb2ba60bffa138e5fcf7bd6bdccf5dba47181e7d21bfed1f

memory/572-113-0x0000000002440000-0x0000000002441000-memory.dmp

memory/572-114-0x0000000002300000-0x0000000002301000-memory.dmp

memory/572-118-0x0000000005190000-0x000000000565F000-memory.dmp

memory/572-120-0x0000000000A00000-0x0000000000ECF000-memory.dmp

memory/572-117-0x0000000000A00000-0x0000000000ECF000-memory.dmp

memory/2008-121-0x0000000002140000-0x000000000260F000-memory.dmp

memory/720-122-0x0000000001370000-0x000000000183F000-memory.dmp

memory/1716-123-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/1716-124-0x0000000002780000-0x0000000002781000-memory.dmp

memory/1716-126-0x0000000000A00000-0x0000000000ECF000-memory.dmp

\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 ee650b620489a1445666611bf8026bbe
SHA1 a6ffb8cab0260cff727dbccd7b48881bd9f5704a
SHA256 9d2645f48ae9fab3bef318b218afc502b125a5a8d628a437f0ae4930b5d0e1d0
SHA512 812cbf7fbb93dfc4772970a9a075b75b4f194e5e527be932392d1efef00574d5072522440019fcc213abd59d3fa922cc50b74432ec2dbc250a70030f058ce5df

\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 d5e0aa61a7156ac82ffa338327b3ce1b
SHA1 8b51862b6af65e5bcedb818172ec8fa8e6c44352
SHA256 cadf8508776edb14c89d6ce32a08dbecff183b8dbc6dec57c92d9a6aaddc8778
SHA512 c830214b87073ba133e8e3a942ef09957d49bdbbd270a195bf357839cba5731b43c04b7cc71a689f89630a08b224acf8aa6c8d08b423906943e3aabd34b8120d

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 a7539d39855936ccfb9796f5847b9a0a
SHA1 bedf663018946554b6600e4d2438db6a5420c3cf
SHA256 2cbb922d709022705c151ec4a6a556c5db7ee897196c86632a0d53bb98713f1c
SHA512 72a2a21b13b8ab24cbd0e771e20da3334e6d94e3f6d2534ce14d26b4465286fdf919927a2bff97ff7c0d2a6325b561ba054b5828a878e00573b4b69da27076cb

memory/1716-144-0x0000000000A00000-0x0000000000ECF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

MD5 44c4e540ef28ad7c365c8d592fe8099c
SHA1 b25f77e53d3d568d5bfcca4c2a2d371ddafcabfb
SHA256 7c8655f120f78385ebae8276890621e9751713a7da8bf0073e3cbdef2f592011
SHA512 18eb613c9884796b043cc48f2d5ce5fdfbfe55502dd826f59a8820313d84da6a7275c652f174b83c00fbdb6a864dd79d081a4c19bf2a3ec4146ebb23f3ea08da

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

MD5 aed6732f41e44a2618eebfd97f7b021d
SHA1 1bdc5e9829ac57710e1849324cb08bcc0effcee2
SHA256 0937bf680a0bee9e9f29398a42b418de3e7c9bd6acd83305242ebb7d12ade7db
SHA512 6fbb5983812b4771a31f46aea6f628128d90ce62a58210713ec5357e8bf8a1600eef4e2b254ec36c7e0a559ae9d0fb395110925cce18eb7b24b1113de4563fe5

memory/2020-177-0x0000000001370000-0x000000000183F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1

MD5 d769ca0816a72bacb8b3205b4c652b4b
SHA1 4072df351635eb621feb19cc0f47f2953d761c59
SHA256 f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2
SHA512 cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 c308dd92aaa04b1b424fa3b970d7e04e
SHA1 d3a7d45eacb705c0a0da2547b2f9cfd3fd42ca92
SHA256 789f23a6c4ff4766adc036a3af1289299bb67d0601bca21bd1ad02a21528000f
SHA512 8c50bc1ef1cb0c8a9ece1d6a06134641011ee00bd284a72d8c1381dc1bf696a25ac4863ff645d02329d9f1575449f1df015f6550bd4880f26c73202168859597

\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 f6b780f05827d33dd3aaeb93710fa4f7
SHA1 e28f8da6ec76046338cdb5b883e42194e85b0df1
SHA256 644269ec4e54f4f67641e82d217869aa574b0d20cb37f1c0a594e4292ca0d864
SHA512 03d7835b715a39f424be4e1052576bccfc645de6303d0a4624d85f40ff6971d6af6a51ed87b1c962e878c5e4a4531913b8b6eaa6f2ddbda676142a18cb5e9e96

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 db5fede6ad650e6cab1f27468907bd76
SHA1 caa129093cfe57621faccd6018496906a82dfb9f
SHA256 d27c3a8a9152cc6138f5ca48dda28b4ebf2ced916ff64e9c00bb5437baaeb758
SHA512 5eeffacffd345dd6dcd09fd1afc534466faa69d0fd0f1612272656e1dc98a77cdfeef1f09b110f370483babf3fb3ab4f317a82c799bab72f874d063cd74e8153

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 0c4cf4d389a2740beff7745556e97d42
SHA1 75ee779192de021ef1e569b9857bbed34fe46981
SHA256 b1dc66fd07943243094bd247d9b4e208d47838f11b31ee8ad1d76b927d4d563b
SHA512 0741f4971ecfa277c383dc770bf110a5b5c5167bccb475dbc17b274498828f69d2d677a449e659830c13c45cb587e1b190291b87bf20076caa519b5c23d02a26

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D1924E91-C48F-11EE-8AC5-6E556AB52A45}.dat

MD5 ef0ec1b8944ed79cf3b414c86dc82422
SHA1 3bce92d60707850709964dc2172c913322c86866
SHA256 9795fc756fa2040211057316c806dd392470c4619ddf00378bb603de3ba7acb7
SHA512 c33e967ff53c94e0a33c491663a8fff2d2d760088aa3f6131fdd11ee73de1b45d75c36d87cd9a943e4180811576e0a914a364f44986eced69d9461119bf375d7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D196EA41-C48F-11EE-8AC5-6E556AB52A45}.dat

MD5 81a23a509f6fe61e45dabac23080b819
SHA1 b667ceaab6619fdee3314c3625de64586ebeeb5c
SHA256 2bdda59ee06830d07011e819adfd17e1362d84c98e1c1e3f5c57468ab1dc6225
SHA512 0f6fb0f453a94d02a973d058e507c40a0b2334f6692639be1adad6ac497efa6564c6180645abff73d171f5f2260bb1f233cefb14069cb0dc2436f8edf1752ba0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D19E0E61-C48F-11EE-8AC5-6E556AB52A45}.dat

MD5 f63ceedd198f95d89b81331e672f4a31
SHA1 ef09504b2768caea310568aa97cfef5b729b73cd
SHA256 5cd677f75225a3a88d5b55af98f226347883034bbc4f314b73a666124dec0f95
SHA512 2563dc01e5f5b84d8545d12fef576f88018fce0591fa5f06706b314a5281ccb31a87b930edec0f1da1cd4812a0ac15e53e857bef53f0f5166b8fff438e4af86c

C:\Users\Admin\AppData\Local\Temp\Tar8A96.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab8A97.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 bbe4ac7070a7dc35cbbdd51702b0eaba
SHA1 fe94fb49503484d02312f5e522ff1f175bd3e4f6
SHA256 16f9eb4e8af660e2a93e9b3319ed51cd9aec3db285023a09a607c26c8fe80947
SHA512 a513d8e6af2e8c77cf23b8ff8651b59d996f81e3371f92f4ebd1981049941dc03ad0ee8441a769d456fa704fbefc83b2323ed55f19046372928923fea7a62a76

\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 480dba91066e0db42dd462ba28b1cfa8
SHA1 f6c897f90ae4e147bce95256b1ed273748c55530
SHA256 9c5145e86c2334127add016049de0748cdb4485263673e9ce241e6799ef1d441
SHA512 7e81a9a04d5d650540227a4b59276d277f51210736ea5b218bd1416f5cb520a63f7940e1209a45593a1ce4d7cd10bf145850ee636ffdea1e32213da14fb16ed5

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 be9bb9a459bd1db7c3bdad2aef8b0f09
SHA1 dd496a9119928af0eb99d6d2b284f509a04b32b6
SHA256 4e17ed2e9980d53e95a7e5c13fad6b042241b7b69b13afd304888bfe2c2e8340
SHA512 2055d79b03ec789ec30987d8cb31a16c317eb6c633202d2c62cf0c6f89ad8db0a6157c4960674b6026a06c9014d7d2fba90b92e90d9c7d33b6f1638779861db7

\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 c10cb731aa7abcafcc56aa45d42859e6
SHA1 3f8d655cd3d926336cc59c67e2fe96d7465635a2
SHA256 53eda0fd01e5b9d46d2db530f947ed9afd6a0d7f9f4bc1cd6144077a5bcef18c
SHA512 400dc3713a664e690f110c58315261b2c6f9e38d54d1d7ef418fae812ef4a3812a2066606a50d3be578a9507ffdd4e1883097b4d450aa565298873bc968a81a1

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 8f423f18a87426aa5e86b6fe5eed1eba
SHA1 d7dbe70f455331173fa978d34f46162345bc4a3c
SHA256 be74020cbb5d576fd890fb4acd495a9f8c8d2de9d86a6585e4b20a4e98713f33
SHA512 37cb50bbc87b910968b4119b3e708a3c144b8b89c5b2d8e48e3da8b1c0016a9ccb16d739b15936cc4cd8d572df2e603bec96cbef880a8fa71ef1a6b1007ecfbd

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 6992aa2d747756123be1c5b182f9ddec
SHA1 ca793310391afb6484938a731839ef59a13ded93
SHA256 89563071fb7bb4205206469f561504c6b36e764dd658eaaf8d02c0901d7dee26
SHA512 022312f898dbc857d3d9bcfec3b8661e61e46bce311ea4b885b30527c05b739fdc1b3c0a0bab6f6fc0b0d972f1dc03a7ed1027b7bf649bc6b46d7a73ccd4e864

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

MD5 0dccbae3a624960851756c05fc91cda1
SHA1 ffcf690f49a69e1b5a8b6c1edffd6dd1ed7ca7a8
SHA256 e2256bb95a81d664364ae5f0b4f5e09a6327a7639dbaa9bbaa2f9d876041c330
SHA512 f04f1a325bf1c48b4452652c607a2ebd265189ebd5c4f27b21494d1878cc224b536a088363b249a691a0359330b6f2fb598e79c1e0d6d81f50be182e46474fe7

\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

MD5 6e401ff8d2152ee1f93cdf7a48072207
SHA1 5b6945cde50036da4f96c3ad4d8151e4edfa0eb7
SHA256 f7c9102387ff2be3466578767db90e8208f9edbfbeb048d08b3aa47b042a05a8
SHA512 66ae5caabd19090229449dede7840770c6b3bf8a5d875fa75df3621119b3798a0a5b60e19c4bba9cfb8a39172bde6b5a45ec1d8cff865ca8a8f152f335c68b96

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/720-416-0x0000000001370000-0x000000000183F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 9b3eb33a68ed9fe9a8618373f7dbdc4a
SHA1 8ab552271385d3dc511bbb9d004ffa3f735721bd
SHA256 24be2c6415b6c41514057c3f3b82a81b669f0f1105c9b1eca0c78c0cdbce6932
SHA512 64b3df4e7d5c8964b2fbb8a45b5cbc9261f4243667d5f8040b1e77f33ce57ea89219a71e01d7f2584b40a31de7622d7b57e64420916b43bdf308c141f4082533

\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 403352865e40d0dfb273e4d1d749e69a
SHA1 ce8e4e1bf74c9747da03a073313a9d51f2064793
SHA256 14a25d06adb6a835341a7c1fc6e0a8d030590dc66f2d4bcf0f5cbef18182531d
SHA512 ac9e422be37fa7974c4f7d03091e052242653824dc1fbb85f4c4bfd7504bca8cf7c8648fab664b3bca2a68b4975b06eae6a15f7ba7f95e930e4b63accc7b207b

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 10a331a12ca40f3293dfadfcecb8d071
SHA1 ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256 b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 5d55464657fa1ef32579ce270054f602
SHA1 744a27f68353560f03ca4966853659431039de96
SHA256 8684f5f4e5fcb8981567eea5e62047ba032a31638328a351cc8f81c769e2ae8d
SHA512 7c1b9087e69ae8fd9eda454a3cbb3129d79d9dd625c2496623ad45d39c6fe812ca6a70edf1f7ba624f42d7223a4f68a2167bce57b7ebf1b3950e9db9fac6ec29

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 6bafdfbaa6cd0416fb25cb98317237bb
SHA1 c34b4a5029f8957693cdd7fbd5eac9c3df6a73bc
SHA256 8bc0c15284a5f54dec62b856e434706caac528f97d4122a1cb2e194f0dacffd5
SHA512 a3c48cba779667a60480576260828a06ad838d98eb0cfe35df579a1a9149a1e3f6deb182af09d9512fb73221c074ac1bec48635e6032713f948e1c851872c457

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b06d08c023c618376c5393518361d784
SHA1 44cf35b1077e0afe2f06d2fd9cfd64b821374404
SHA256 9c2837997a2d1f1ad38263f8ce56fb81bec5dd94001abdf0e66940c5f698c65f
SHA512 f52759d051c69b92e1f5af4dd03f080a3c29f98e97d0614f64a1b5e1ac6361c30376e85602417046b43ada8b405206236fb0e006abd4432f097fa0731fe85054

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\prefs.js

MD5 c3709af11f1c5b3ccfe332d9ba115661
SHA1 057b8931ecac9d7708f1ef2abc9f2f5872c313e7
SHA256 05cea9ce3d4d3052fab67eb4892a87536f708781c7b0ba2b13c521d3dbafe640
SHA512 c3a0e7da8dbad0046b415d218e4cd0d53e8a71567deb0a16b88cb9494c18e7016dcbdd6a63fc60a6eaf92236331c31e81454a63eb0dbc179c81e09e48bda3be8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\datareporting\glean\db\data.safe.bin

MD5 66049b4b6e6beb08887d109f7648fdaf
SHA1 0a1521be0b995f847c79aa013ecb7fd408cfa5ca
SHA256 80ea142c8e5cb0c45d6ed8d000a9185a1f3b23455c1688f38ee0aa08a035be7e
SHA512 ee18d47da62758f6c6deb7316fa0ae48e013e14a5ec2b1067aca4941e8f59b5565712526272c98916b96e8187c4806149f0d687da5575098f607f9cd3a2554c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\datareporting\glean\pending_pings\13c8060f-b156-4af7-8888-4d650b8e6470

MD5 66e92e77eb48a49a087320e19f1bbd19
SHA1 af2736d4acf850d5c241bbda1b7832b2c3f08230
SHA256 f30dd2fb5d5d319604bab11125e1e22c4ba91dc90b4e30ee3493beb4781ba8c2
SHA512 41a6a5e1712aa4a0739d7940c8d0cc180643beb050c9dcb0855b9333da588b69a4a51d071dad1ccf50bcbdc812cbb00e31855cecefbde4de10f3ccf29b700195

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 d612d9d6dd2a8c6ed9aee4944daafef8
SHA1 09b523241299dad0b76f2af97d189055d16fe5b1
SHA256 d1561519293a2eb62454d86eb29f511744f32a0ec67a7c2ef2858590a315a628
SHA512 e747505660fd2c5650f270c6c641e6fcb40e518d8b6c72d5652b39dc63bbba5f8b0922b079f62243f1d24d2395fc24c5b3edf861779c0e4ed0e9239b7bb92512

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\prefs-1.js

MD5 03d8462d5c8a34db9cfa828a30aa45b6
SHA1 10ac237957ded1bf3800491fda88367288cb5d9a
SHA256 16d15f069031f065664327ba146c89671323fd1c4ab57932d4bc52b57f505825
SHA512 fb3795a87c3b6efed6e7ef476e5096dca88dce0c0e761116fa2f0cefce729da63979869484333f9ed2ed019ecf201cda3d540748564398126e5d213ab07d4421

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8ef6614c2044ef99f3a9813638b7e98c
SHA1 315231dfc448f8161e489d8db39900bbcdae3a7c
SHA256 64ab4337aba81400c5673b621b4414c611ed685e8084fe74954276ef24d0ace3
SHA512 6df09b9a478afba44866c2ab55df90a57198a4d1992e26d5c5a7677fff07956af05800742067a9450892613850e47de0ebdf39154a95d114c49457f9dc70bdca

memory/4536-645-0x0000000002750000-0x0000000002B48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 9fbfb76e83fc6fcfdde6b4a678df9f3c
SHA1 d7490105284afc4b61b67bcbd0aa321d34d70e42
SHA256 ce022c30354a1f267bc6f5c770f82854f56810a59ab9d077dd4c53252456704b
SHA512 28f808aefc7767bea1a268ee812a49075683e3ea7a5173ed29cf5d342670d555722792226e5e57c0ae9572fc44889c4a3b636ef8e8a1cc7b52b6bc60e66128f5

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8c20d9745afb54a1b59131314c15d61c
SHA1 1975f997e2db1e487c1caf570263a6a3ba135958
SHA256 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 42f055e712706af8dd847fff2b3bbf18
SHA1 84e83a77045fc0fd81138f163bf1b0ff42aa6883
SHA256 4a45b38b72e421ea1cdb8b03aad202323b4fa5a448b16328d81323cc5ea894d5
SHA512 f92334fa28176a26afbc920e7262e3921f304ba014e76e88e8663645c7fa7cf2136050a1a1f0527f3181a63d289ba447de5553afe891d38b659d74f9582d524a

memory/4932-750-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\prefs-1.js

MD5 fd7e5975445267fec26e279bfe9f3715
SHA1 cb2f234a28121beee8ac0ec1c3330c0ba3f28fb9
SHA256 5c2a194c8f44b4bb70d2aa9d63ce82c8f0a83cfd60ed1b3f3568755bc2a88abe
SHA512 0fe30381f30eebc14d9f4ed20fe24b8542a3b04bd337a5f0e144f35e26b7a866f171007dd2eb124bf743a9e0b11301a9059e1cc11982d35200f14dd8e52cb720

memory/4192-811-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-812-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-816-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-818-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-821-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4556-828-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 121b08ad1d479b2f83f33754f5b7cb5b
SHA1 785b9e5267f8a22410e2e0e826740e6960553882
SHA256 14a3b610e20ccbeb0ebadf52093599c7cfeb40cd30b26840b2d7929535a0a1b0
SHA512 6eee12693ccae9378aa8531b8a18d0a7c0b2e5321393301a48b4b4674b9d61724a0780d821e9cccf2f761c1fe7ee546888584dead0af481c285fb701881d4bcb

memory/4192-869-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4556-868-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4556-870-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4556-873-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4192-872-0x0000000004C00000-0x0000000004DA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 98db5fb88d393b3ab4734f344c9acd5c
SHA1 860f8841a4cfb6b31d680ea1adcdb7b240e0ef64
SHA256 7f570395a226377c7393b7fe0faed25aa8c6f45c7816de45a73d6a3a4d041648
SHA512 c647095a6a62c83edab2628743edbc75f31815933d5e7ff9182f8f2f99efaa36c96692ce64ce551225f75bf3a16c7a941809aa83aa0b138e4a9c94f41196c9ae

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 06900b1c94b4858708cba1fab235ec46
SHA1 73b00bee2580eecf3b596132b2871d02c0e692fa
SHA256 18208fb4ff7717a3ff1cb5e806a4c6b42ef886d5e519c4887a84994bfb107acc
SHA512 96940d1201d3ae6cd506bad6d3161acb14eae3f8060a1b7cb8df12a7004eaf7201eaa7952c8a602a7666c741aa000e981c7287d0c416285ed6f2fbb0203ee0f2

memory/4192-839-0x0000000004C00000-0x0000000004DA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3c4.0.exe

MD5 29eae1a7170233af379dc241348e6531
SHA1 a6801e82440bb316c51d072f03f1be5938afcde0
SHA256 18778e5f6c6c5a0b8ff538ce85c12e83859c6362e0e682bc0f990f010e80ae0e
SHA512 5aff56f961f87e6d41c7ac93c204471a136724a5ca96a4af3217d0f7afed178d742681cc2b0cff08250ebbba801d93572e8911543fdd1d57c645d89253144d02

memory/4192-887-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4556-886-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4192-899-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-904-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4556-903-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4192-921-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4556-924-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/4192-926-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-928-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4556-913-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4192-814-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-932-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-934-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-938-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4192-944-0x0000000004C00000-0x0000000004DA5000-memory.dmp

memory/4752-945-0x0000000000230000-0x00000000002B9000-memory.dmp

memory/4556-957-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4556-959-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4556-966-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4556-969-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5e1b7c6f44c9976feac2afd6cc53981b
SHA1 9aa787ae5afac9363acbaf89ce7ef941426bd396
SHA256 a35974276b5b19377fbc25ef46138ded6f39c32d10b59e007853b470035e2ec9
SHA512 45b93852e8ca62a5508bd03f05ba13587d7714f07452bf3b516aa3d5850b9e6d9ff4fac4af92a6c1acc9251903ae30c8dc8ec424429ce26d23edcb5a87c86c80

C:\Users\Admin\AppData\Local\Temp\u3c4.1.exe

MD5 62326a7b139445927197d0f602df4943
SHA1 2bd3e8e9a970b73ef4b2179c59b647d023cedd9c
SHA256 85b0a33f27294b8344a0505c51c4ed67a1cbbc4b5bf5923255eccbb921b26627
SHA512 70e94099a3125f23fd5369c47d556a561f2fa5714694670838e7727a12ef0f185184f54d9e8419398cc1b28256264d36d3904548057896030990f953827d0f40

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 23d01a9865d498a2eac1869d15fc7703
SHA1 1514cc90b5b0169906b7442af1229271f8c4cf7f
SHA256 8968222dfafbc095bfa737833fc46caced60d6b4879c4ce52d5c8a11701e80a0
SHA512 b0ae46b785080c785000dcb145ff292c8dfa2d859dad71e7246ad958620e6f5a74ac675d8442950cb38153954e6cb37f9ca1c2f9ffcc9ebf94265cce0d459073

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6b6987bf20c060e9af39bc424fb3d0e9
SHA1 3cdead9f7fefc01aadb203eb01fbb44568ef5423
SHA256 96bb556b41f4676d8367b7957ca4b3dac3401287c50644b77b25c8705681eca3
SHA512 732bfb9ff05879f276bb8551a565eb35a502739137d0eb84df44bd08fc689951aec0f4407202b1dc767a5f70f300ee3ac8eaa4297bf34ec49fea537167b2775a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 370005215249a035ff8c4b4f0343ff11
SHA1 764e1862c6bb6232a3cbf2796ab89a3a81393a73
SHA256 cc5f5c02d5b8343ce9be41ece86bea82b8c0bde28a9894908d89f63a09934536
SHA512 59be5ade0334884ca15d6234fa21510cd161629c93902f8cea5888c40faf587c7a71e64ca1c02593b6a5a288f7718c1524821921cba15b5f05d3ab81be7b0f62

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\14t8eq6w.default-release\cache2\entries\F96A1A8368D3C3DD1FA81D170326E6C1C65D342F

MD5 5f21a95efd41a544ca6d5f71386c824d
SHA1 a571ed8337b0b34b73c93ed00c7d6b81aec06cd1
SHA256 4dacd9a0daae109507dd527e89bec934949134f90af8feb224ef18b0ed9d1144
SHA512 bc04155c42e443fc1a62f8c7ded4d9bc7e09bfe9bf0f94eb9ac7034c54bfe36310035f41ac1c29debecb0f37d000958345f8e6e9afac6e2ed486d286dd4dba0c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\14t8eq6w.default-release\cache2\entries\2BB62A5F508187291BB477E79601AC81B652604E

MD5 ee070ef0f2c6e182ba1199cdd3b0afb1
SHA1 3a66c258874bf136cc12b5b7a1c23202d7067656
SHA256 da7c85ef83a572a553d763a758d7338f5fced302feeaab3bd08daf42496c7821
SHA512 57785b45342a4084f775c0245de1d2c1f55f8250b143f46fb6ad4dac995e33637ab758f4d9d3bf7c266b8c63cf981c0ac750d239dd654f378da28c2041003fb5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\prefs.js

MD5 6be6254752ce9179ddf698b3bd738406
SHA1 b3d6d85df933707a3452ae4e9fa51495bb72ec92
SHA256 a613a10b3ad50d3ce0fa9b82f53c4eea83bd89bfd774345e6af942213dfeb428
SHA512 55ad3f0a29036e83f9704400c7362cc08fd5df76a598c57ee1dae1f9cc18c54b0bfe31dae9d0b4b5119950a05767ff13b2044f9eb6fd4f953b34a883534ebbe1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\prefs-1.js

MD5 d9be28c18a0888e95778f01af9ce90fb
SHA1 4b82f971855b3f494faba33f7471005a3538ef03
SHA256 22ef6e838f888139716fa87521d237ab7e0f5d707ccdf5ac6920f1fab70471c0
SHA512 c50e2f6104354382e70a75da1a767f96d96e0840309eab80d9e6250d0880dc53fd4b74dbe1e7a0db6c247b82fcf4fe3c88f1a3be17b4357d7813dcc0b49b7acf

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 4c743db218bc8392132b06cbaddef7bb
SHA1 eaff3b07325166cdd94a458c211764ab00b2f4d7
SHA256 1bcdf256e7eb00d11e241a90980928099f08e5de005f2e3a7c7c8b68e7ef56c3
SHA512 a05c3d48b7c05361aac405973826015ca29af590762b0ecede485803a906023feebfc340f1120efe95a931682fa7d8a295ab128bd538cac68baacf73ed21c147

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 59ac317f83fb1a7abb3a64ac7914f215
SHA1 818819227635efc9f50f5e1668f1f02a3d1402ea
SHA256 787705dbbe08069c4b307b2a359a571e85a7f3cd737492c903a91f837b05db99
SHA512 142bd5c30600e2d7525f96addd98bb6255619533c39c186f2de22f5f5855d12139c2e8a974dc7ad781b54c5382be180ee3cfb641452fbf932701a25dd65e605c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 edead1a6ab28343225407de4845fc85b
SHA1 728592068b9340967b18e2fc5b31cebf2942c1e4
SHA256 3c0c22f60ccd5ac7066ad5658c1ae499a42a0c0f8655ea3214caf7cfb822ed31
SHA512 d94e53946b86b81d4a927163170e44aee41bb47200f35f7fca59248259e7a1fc52effc31edc7ae25580100a78371226c118dc5eb14c9cdf7f6b13c83082384b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9175adb8e1957408c705e66601b9b047
SHA1 a95ec5b3ee9209cc4b06f1951c6f7fb18ca82a84
SHA256 9bfea081e084c7da2f0eb7ea0068fac8886cc07e0a485176c83f5668750ebf86
SHA512 c7e85cf9a6562937717c2eb639a5a28312d6ea1d46bafd08e4f3802b909b97b4984c1d0adb06f199a6732f774a9ac8d5b5ba366458509ec75a61dc99f387efcd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 2cbbb2414a25ee89bf9e7cdd78a56939
SHA1 1ede4323ef68b818de136aaf5b071d07600b2587
SHA256 67db5cee60717b75fb6347488635deed40ca64df13234351a97e9ec920c464a1
SHA512 ab932b12870ce6c34465f2cfff51f0f1b3e738b31eef6a449786b767787951a04fdf4aa1a9e02198f020eca7f778265a5bd518b0b5c12810f8bf25e5e15d7bfa

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\14t8eq6w.default-release\cache2\doomed\1888

MD5 906264a847343cf43b8d683236f9898f
SHA1 97db21327f34a9b1ca7c0b38019c03091b04b8ab
SHA256 00d44f861835f5c272cfc8dc366ab3fb0a30aac11cd34c51a760343550e42aad
SHA512 5d2c6e1e6b64526926cdd78c48a9138839d41167e4da6bddea3db27fb166e182b08a8d6863d6029e6d596ad9f1b40c42a4f4774db89e92232a7135895c31c0db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c10848fb1cf02cc2be75786445af4383
SHA1 0c8e4068961ca8e5fa966596bb55a30e0162e9f3
SHA256 2ada8754dd4bdc1e20ac8c6381e17add850d1f4e1e1c71d9d27592a88cf83a4a
SHA512 3dc6fe76a39be8d9d5652bdd520b210431525b27fcc0316a1fa8c7e4ee940d7e4d9232c53b660ce6e47fa94814abe3241f7ee5b120239258e44a3cb2d229d426

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf778556.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 15f4322496a82af6968e3d997a646493
SHA1 3b4d3d2f269cdbfb60d85365a3abf5fa2b0ceb51
SHA256 2d74486e8004a68a0b89c11a8f718e7dd7e1007ef33dfab903b58748f58d9547
SHA512 fe1f7b5a14173844b328f891e2747aafede8174f30ab22cac2d714f60d3a15c28f64780a26bf24abbb324835ba0a9b50e04098800efa13ce0cbaf1574b688013

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\516742c8-d2a8-41a2-9d09-16491f93d956.tmp

MD5 b5e10e0bba21085d9383337c66b0866b
SHA1 2eb0486b92c7213b4b4cbfc8dce47b4506d2dedc
SHA256 e0d0f00713a996177a001df6ed0f8d9fc4512c7df4a23cb97b2b22c2de5281cf
SHA512 ed6d2b787e839babaf376416c79b13f023acbce6d6e31ce4e3ab5794c4c41b0f7d3737ae5caa7f2ae881ef391ddb236a6e763fc9bfea39d515c9b1f279251a1b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a1ae2b0a9672d30bc40d010438763077
SHA1 711d7720c0a955abe5c40a9ff36a41f38c7aad5b
SHA256 52e28066f65351328749b1d3982b7b7a7fa5539cf144a342b328e73729bf83e3
SHA512 0a83dd6d9209eb6d4b726dd7108d3a1f95842d36ac9358af5d262300a09b749b2d27bd4f32d8cf557c9711cbfd26c437b6aea81fe10b664507c6e00495331db9

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d88994687f68eecfcb3c255cb6ebf557
SHA1 991369a95a7a79f169521275d1b9aed47144aec6
SHA256 5dcead697e36a2cdc440e59853dc3ea77620a63400bedd815cc3e66d65a29e3c
SHA512 8bdebd94829f1bbaac402ad64d77f233375877fe5e89018f650d740860e93e00f4473729b77a5893ef9de59a93a11ed58547bb5bea7c31f7b181cfa7a131e544

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8a73d71e-c3b7-41b1-9f51-8a4b541d3336.tmp

MD5 7a692cc0e4fb8e60fc1bbab1fa5833c9
SHA1 381ad8bd05f9b1aedda1d99c3bfe963479e3bda3
SHA256 475be25846ec4e24ddd0d56a360b71c1802b4fc8f94a9f2dbb06e71151aea94b
SHA512 32ffef7edf46d29a70583d291b31e5ca4fcb743abc06cc8664871ed723c993ffaeef7c1ef3bd7bfc21a5de13bf71623bbf37f054ada16e21963e75c2ed993a88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 e78efa016d0e13b61fab692b49a1c016
SHA1 aed9cc5af76a31a4f07eee4425f2ded6191a0a44
SHA256 d7aee9a2ed56b9bd3c47d301cb621a81a63ce939b52438debf239ad15422a89a
SHA512 70387cc60a00914812828b5690b6a6c258cd1c51c6b3e0fce45df39eaf35cf9608fc737c874f9d6c0ae6f41910f2f18c71c018e9068781e6d8ce96d7e147c2c4