Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-f1m7qagcf6
Target 335b17fdc989824126298877bed8804d
SHA256 58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af
Tags
amadey glupteba redline risepro zgrat livetraffic dropper evasion infostealer loader persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af

Threat Level: Known bad

The file 335b17fdc989824126298877bed8804d was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline risepro zgrat livetraffic dropper evasion infostealer loader persistence rat stealer trojan

Detect ZGRat V1

ZGRat

Glupteba

RedLine payload

Amadey

Glupteba payload

RedLine

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

.NET Reactor proctector

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 05:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 05:20

Reported

2024-02-06 05:23

Platform

win10v2004-20231215-en

Max time kernel

25s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977dc46f8,0x7ff977dc4708,0x7ff977dc4718

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

"C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff977c69758,0x7ff977c69768,0x7ff977c69778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff977c69758,0x7ff977c69768,0x7ff977c69778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ff977c69758,0x7ff977c69768,0x7ff977c69778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3775621957902147091,2761984085957164728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3775621957902147091,2761984085957164728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3532.0.518417360\1269324597" -parentBuildID 20221007134813 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c959cd22-a3a2-4c1a-8030-c590e1bd5d0c} 3532 "\\.\pipe\gecko-crash-server-pipe.3532" 1880 196ffdd8f58 gpu

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,12558253831113487107,16832024225984734452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3904214391704009726,2583941524214240105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3904214391704009726,2583941524214240105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,12558253831113487107,16832024225984734452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,12558253831113487107,16832024225984734452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

"C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\969412972279_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977db9758,0x7ff977db9768,0x7ff977db9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff973a146f8,0x7ff973a14708,0x7ff973a14718

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977db9758,0x7ff977db9768,0x7ff977db9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9721a46f8,0x7ff9721a4708,0x7ff9721a4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5408.0.2082752771\427201250" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20749 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b6992c0-6ef4-426b-b809-9d2f6ed366a0} 5408 "\\.\pipe\gecko-crash-server-pipe.5408" 1824 18511af7158 gpu

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe"

C:\Users\Admin\AppData\Local\Temp\u5d4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u5d4.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6692 -ip 6692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6692 -s 348

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5408.1.181666622\368792838" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 21565 -prefMapSize 233496 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1512e756-ae51-4afb-b389-688e0d4310dc} 5408 "\\.\pipe\gecko-crash-server-pipe.5408" 2272 18510cda558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977db9758,0x7ff977db9768,0x7ff977db9778

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,8001669054322136890,10872576808073936863,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1904,i,7068735810055127641,10629258228391907865,131072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8001669054322136890,10872576808073936863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8001669054322136890,10872576808073936863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,8001669054322136890,10872576808073936863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,8001669054322136890,10872576808073936863,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5408.2.1717983593\656607483" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 3124 -prefsLen 21603 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f26751-850d-4fab-9546-d609c343192b} 5408 "\\.\pipe\gecko-crash-server-pipe.5408" 2880 18515be2f58 tab

C:\Users\Admin\AppData\Local\Temp\u5d4.1.exe

"C:\Users\Admin\AppData\Local\Temp\u5d4.1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9721a46f8,0x7ff9721a4708,0x7ff9721a4718

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2748 --field-trial-handle=1904,i,7068735810055127641,10629258228391907865,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2732 --field-trial-handle=1904,i,7068735810055127641,10629258228391907865,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1904,i,7068735810055127641,10629258228391907865,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1904,i,7068735810055127641,10629258228391907865,131072 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5408.3.1076310778\1975424951" -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3536 -prefsLen 21644 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a914bee0-e864-47b2-9865-ffed22c06c14} 5408 "\\.\pipe\gecko-crash-server-pipe.5408" 3552 185166dd358 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8001669054322136890,10872576808073936863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff977db9758,0x7ff977db9768,0x7ff977db9778

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5408.4.317224177\1066177915" -childID 3 -isForBrowser -prefsHandle 4272 -prefMapHandle 4268 -prefsLen 21768 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89247757-75ed-455d-802e-da9495cd8fb0} 5408 "\\.\pipe\gecko-crash-server-pipe.5408" 3148 18510cdb158 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,10291867830761688874,16197328405716776270,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9721a46f8,0x7ff9721a4708,0x7ff9721a4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5928 -ip 5928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 1272

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5408.5.1435856993\283152736" -childID 4 -isForBrowser -prefsHandle 4780 -prefMapHandle 4808 -prefsLen 21943 -prefMapSize 233496 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95890a12-2970-478a-86dd-6d65b8832b22} 5408 "\\.\pipe\gecko-crash-server-pipe.5408" 4804 185189d1758 tab

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\explorer.exe

explorer.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17477405321348552444,15886786130487351615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17477405321348552444,15886786130487351615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17477405321348552444,15886786130487351615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17477405321348552444,15886786130487351615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17477405321348552444,15886786130487351615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1984,i,10291867830761688874,16197328405716776270,131072 /prefetch:2

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7344 -ip 7344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7344 -ip 7344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 1084

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1928 --field-trial-handle=1984,i,10291867830761688874,16197328405716776270,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1984,i,10291867830761688874,16197328405716776270,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1984,i,10291867830761688874,16197328405716776270,131072 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6116 -ip 6116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 2044

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\969412972279_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
GB 88.221.135.217:80 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
HK 154.92.15.189:443 tcp
US 13.107.42.14:443 tcp
US 13.107.42.16:443 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 mealroomrallpassiveer.shop udp
NL 45.15.156.209:40481 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 13.107.42.14:443 www.linkedin.com tcp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 13.107.42.14:443 www.linkedin.com tcp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 104.21.58.31:443 tcp
US 172.67.182.52:443 tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 34.149.100.209:443 tcp
RU 5.42.65.31:48396 tcp
NL 94.156.67.230:13781 tcp
DE 45.76.89.70:80 tcp
DE 185.225.200.120:15666 tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 13.107.42.16:443 tcp
GB 142.250.178.4:443 tcp
NL 94.156.67.230:13781 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.215.113.32:80 tcp
NL 94.156.67.230:13781 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.19:80 tcp
RU 185.215.113.32:80 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4724-0-0x0000000000D20000-0x00000000011E7000-memory.dmp

memory/4724-1-0x00000000771B4000-0x00000000771B6000-memory.dmp

memory/4724-2-0x0000000000D20000-0x00000000011E7000-memory.dmp

memory/4724-4-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/4724-3-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/4724-5-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/4724-6-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/4724-7-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/4724-8-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/4724-9-0x0000000004F20000-0x0000000004F21000-memory.dmp

memory/4724-10-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/4724-15-0x0000000000D20000-0x00000000011E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 335b17fdc989824126298877bed8804d
SHA1 594f601a3cd7add83fa94f97fe90da3bfa678449
SHA256 58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af
SHA512 b4fb222110afce49d786d9fd4f32a2f0c0e17229cf4792034ffe6498660b19912fb351230bf8eddbfcd30711780ab9ac0de5a6ae3fe536a43d9dac4184c05776

memory/3220-18-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/3220-20-0x0000000005140000-0x0000000005141000-memory.dmp

memory/3220-26-0x0000000005170000-0x0000000005171000-memory.dmp

memory/3220-25-0x0000000005120000-0x0000000005121000-memory.dmp

memory/3220-24-0x0000000005110000-0x0000000005111000-memory.dmp

memory/3220-23-0x0000000005180000-0x0000000005181000-memory.dmp

memory/3220-22-0x0000000005130000-0x0000000005131000-memory.dmp

memory/3220-21-0x0000000005150000-0x0000000005151000-memory.dmp

memory/3220-19-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/3220-27-0x0000000005190000-0x0000000005191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000019001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/4312-47-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/4312-49-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/4312-50-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/4312-48-0x0000000002310000-0x0000000002352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1

MD5 d769ca0816a72bacb8b3205b4c652b4b
SHA1 4072df351635eb621feb19cc0f47f2953d761c59
SHA256 f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2
SHA512 cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

memory/4312-59-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/4312-60-0x0000000004A10000-0x0000000004A4E000-memory.dmp

memory/2224-62-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/2224-61-0x0000000004930000-0x0000000004966000-memory.dmp

memory/2224-64-0x0000000005070000-0x0000000005698000-memory.dmp

memory/2224-65-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/2224-66-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/3220-68-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/4312-69-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2224-71-0x0000000004F20000-0x0000000004F42000-memory.dmp

memory/4312-70-0x00000000050A0000-0x00000000051AA000-memory.dmp

memory/2224-81-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/4312-88-0x00000000051B0000-0x00000000051EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gak33fqu.dmg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2224-82-0x00000000058B0000-0x0000000005916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

MD5 df786e7583a634d34f4030b380ec4738
SHA1 d7d59b2c339e3563fa9f74c9de644a5c06c42431
SHA256 5325f47397421b9cb15e70ce6dc18d8442f9a403b085f4dd1a11d282bdfac60a
SHA512 85b22bb28dde7efd8e8a07703d79c085bb4fba008d44e9fba65c242e77eb5b751dc8161fa37b80dc2019308a2eeb6bab817b81c162ac26414bd131557f03f686

memory/4312-67-0x00000000056A0000-0x0000000005CB8000-memory.dmp

memory/2224-102-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/4312-100-0x0000000005320000-0x000000000536C000-memory.dmp

memory/4312-63-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/2224-105-0x0000000005F00000-0x0000000005F1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 146cc65b3124b8b56d33d5eb56021e97
SHA1 d7e6f30ad333a0a40cc3dfc2ca23191eb93b91b2
SHA256 54593a44629eeb928d62b35c444faabb5c91cd8d77b2e99c35038afeb8e92c8e
SHA512 20f1d9ceb1687e618cfb0327533997ac60ac7565a84c8f4105694159f15478c5744607a4a76319e3ff90043db40e406b8679f698bcd21ffe876a31fd175028ee

memory/4312-108-0x00000000062D0000-0x0000000006362000-memory.dmp

memory/2224-111-0x0000000004A30000-0x0000000004A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 4ec269cd4219e5be9b3c576b31a96b67
SHA1 a8dc8e5896be6ce4543f3ac34ff7f32f51cf4fa1
SHA256 69249779ab86c575e2b9e43262eda938b7e40a2cbd73d3fcbb842d4ff9c39289
SHA512 05f930c47fb2e491e763102edf7c90d08f3a392117d2a57fb081743416500330fc13c9479076fd90dad733bdef776167f1c81682c0bc178a40b396fe648518c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eb20b5930f48aa090358398afb25b683
SHA1 4892c8b72aa16c5b3f1b72811bf32b89f2d13392
SHA256 2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35
SHA512 d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 912cef274a60c985d42512f4b8b66544
SHA1 bd6f35df47484d693f9013ae157c87dc1010d378
SHA256 19841dcd9e53335e815d691d00d801237e297f12b5523083d7a65315c51a1f99
SHA512 0da9000e0a197a4f8b3327b7f4b0f7281f542f2229c0e28c14da2e6818c711d68e60b3fdd38a551c72969d80d069b4c12d9e701d12e86e99a10e3f5126899087

C:\Users\Admin\AppData\Local\Temp\1000032001\dota.exe

MD5 af57e3c332a60ca79769f517d060ce17
SHA1 25728fc278257c468f4211dbe4ca1a6542db390d
SHA256 16b625bf01dec75c7cd9ea3904cbb2e80d0c74c7247d9bf48cc2be4053398900
SHA512 cccb0272978c0b716be467c291bdac3425fa4bfb3dc1912e6b31903808aa9b30fd5d37c9e1887d1cd4e9774cdc7d64a5292a81d5be13a485e379d910b655f3c9

memory/2584-148-0x0000000000230000-0x00000000007EE000-memory.dmp

memory/4312-167-0x0000000006370000-0x00000000063E6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 4a66d8fda6d825c0521d53c98dc9c340
SHA1 0b9a06071ee5b9a9b974dfd79bf154cea1929027
SHA256 6cfb9071b4745b2744e673f57a39aaacc9719825c5f6e83dc5ce9b528c7d88ee
SHA512 c8671d2e51d7d992c330a487a1f7159fd55b1d9b18a0844edd1db6b90b69e9006ee1c4452f619b5cc2cb706236c4de0a06034fd4ca008cb379819ba0fa40fb1a

memory/2224-180-0x0000000006420000-0x000000000643A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000050001\Amadey.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

memory/2224-179-0x00000000070E0000-0x0000000007176000-memory.dmp

memory/3220-168-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/4312-183-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/2584-197-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/2584-205-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/4312-196-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/2224-186-0x0000000006470000-0x0000000006492000-memory.dmp

memory/2584-209-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/4312-210-0x0000000006BA0000-0x0000000006BF0000-memory.dmp

memory/2584-208-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/2584-215-0x0000000000230000-0x00000000007EE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 16b7586b9eba5296ea04b791fc3d675e
SHA1 8890767dd7eb4d1beab829324ba8b9599051f0b0
SHA256 474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680
SHA512 58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

memory/2584-236-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/2584-237-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/3220-249-0x00000000008C0000-0x0000000000D87000-memory.dmp

\??\pipe\LOCAL\crashpad_4812_LJSSGHGCUKLEVJDZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000051001\rwtweewge.exe

MD5 6e401ff8d2152ee1f93cdf7a48072207
SHA1 5b6945cde50036da4f96c3ad4d8151e4edfa0eb7
SHA256 f7c9102387ff2be3466578767db90e8208f9edbfbeb048d08b3aa47b042a05a8
SHA512 66ae5caabd19090229449dede7840770c6b3bf8a5d875fa75df3621119b3798a0a5b60e19c4bba9cfb8a39172bde6b5a45ec1d8cff865ca8a8f152f335c68b96

memory/2584-264-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/2584-258-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 35023d50ba330d5ff190063aaee5268b
SHA1 8f6285b9540cd4a3c776ac2b7c2e0e09910eabcb
SHA256 9fb459fe16e2ac83af2334008368deb07f73eb3e9f6304a8868b823b1046eb42
SHA512 6335a28909e42c8a7c63bca88721b2d20a3041d608e000125c8255142026bef9dbbf3dfeb425aa261657b2336c80638fe6a756bed6af762055f4f1cd87584527

C:\Users\Admin\AppData\Local\Temp\1000052001\plaza.exe

MD5 6e58429720aa6ed27382e98d86c99c64
SHA1 e8211b52f4bb0dbaf21b2f0950fb5ec9e574fbce
SHA256 321a88a9be24d0a54d06ab2727298d2d4910d881bd1f0ef2bffa5c5c4f9a4fad
SHA512 2d5183478b13b657afcf007a3a64b6318a7de3cedfe5a27633931b343592caf15c076f708c41ebc778d963737e81b4f83b3f21b98903fa8b86834cb9d6b57102

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 f8fdd27293ae7e2e21a4548760182870
SHA1 bc58b4fae76747c4fbf60a41ce02ae9f9c9238ae
SHA256 96d63a5a3ec8409cda546cf98ca2662bc6c5f85e8fb30e275b1444d9d171ef20
SHA512 2a02cde423efb101ec7f3baa208223fa6826b7358c8de22da5ff3dde219388d27fe749f99dd173167f46cdcbbab4bc85b4ffd408d9040e5ed14903ad782797bd

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 808556c98308b5858f4c2996432960ce
SHA1 2262f590d883e4a13c60e06df4449976620971a1
SHA256 c7164c1f2c51f4fc533c9f154499d86c28aaaa7ea26e849b082c9a7d04941626
SHA512 c2cae24488eef12e1a179204dac3c8193582c9760acf75d8e556e6e5f777647a3c8dacdf12ff12c3500e401259b91e81e7ab6e1ca255212b477942ba0dbe7656

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 58e1bc68cae045cd472efbd81bbb9d54
SHA1 e74cb981a49b3de7c9cd8efa2e98534150e338f5
SHA256 d7af37982bfde2086b0fc147eb551d572f595160b25bfcd700287f8ce4581621
SHA512 e0361f9e5e9fb4baf5ee38fb971aa4493d0b20d1e1e8e8c3d9f582e116a33b935cfcc57d7df259984170c932b12507b6e22c607bddf75367725cb530041f7f7d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Temp\1000053001\daissss.exe

MD5 10a331a12ca40f3293dfadfcecb8d071
SHA1 ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256 b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512 1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

memory/6624-363-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4864-391-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 ef597e2f513cd4771b86d8ecff92200c
SHA1 b586be4c2d0564d8e65e17e283ec8dcff5708efc
SHA256 1afa7bf1680d51b5a51738b8624ba8e4e8459c4e7164980e0421cc089ffe68f9
SHA512 f42a7cfb729bd46f8a2c48c4dded5075c5a4fb31f198c02bd6cc1af8055dff0567e31f4f6993d62d49ba298bda38ffee261a952a96b2310f133206e86c80b753

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 a5539c8d65cf78e0e32d189ab2bd7a7a
SHA1 ea267ea7c035a0fd766a0f78cbe214fff98bda49
SHA256 3f5e960dc354d19a29d45314a746ce8e6c06e34e065976d6356f5cc5fbf06496
SHA512 a1002ba2248323c8fd1db40c75dcb9fde5a40be818af6273741fcc8ddcbee0fd90ab229bc84363d11a007d1e655cda9c08ee319f2ade99c3bc0547ac4dbe7baf

C:\Users\Admin\AppData\Local\Temp\1000054001\dayroc.exe

MD5 27eba0694b2b543996f2fca9f026c58a
SHA1 427b5c28e6f19f7a7ff724467e7b5eeb20f7f42a
SHA256 378869fc873f2688a929f5941242af91f839cfc256df01191a542e032c5b3c4b
SHA512 a53fd04b2d2c8073bf5af13fbb3b2914e786983c8db5aaa8afdf1fc3f6d2ecda88460a0e7f28f1d925b3e1dcd6969016672d63c56042e51915c94239a19ce2e8

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 654abe1db0f972272b5b012914d9e5d6
SHA1 1ac7b42167369dcfa528837f13a2c80de7bcc161
SHA256 5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094
SHA512 18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

C:\Users\Admin\AppData\Local\Temp\1000055001\RDX.exe

MD5 f733785f9d088490b784d4dc5584ebfb
SHA1 6c073d4208fee7cc88a235a3759b586889b91adf
SHA256 e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59
SHA512 43589b18333b0edcd6e300577f86de685058df5533bcbfdd3e30497aa76176008125fbd28deecaca5e6132c42cc5c0a583c34497f40dbe4ea577333eaebab899

memory/2584-451-0x0000000000230000-0x00000000007EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 5d1aebd8db496ff0b4f999cee04325b1
SHA1 51c0dae7644615afb13f0757faac46cb516490b6
SHA256 bdeaa89d9adf0f9b374e33e899d648e19dc3f1b788475f9b39bd4e7b08909814
SHA512 83c155d5963997667d62f4d848e42cde6ca40b0803ee30e6092b65e89a0973b55a76378613abb769e94e686430f575fd08d97f243d03eef446624043ed7ad5c3

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 d2afea51ed9ba2f5bdbc08d2fe0bd87f
SHA1 4668d42cd66b3a2831d5bc2c349682959265a052
SHA256 6d995b432c795076646d46d7b6fc53bf0189148c744d9c4b1c725899eb6b3905
SHA512 6f69927dc0cc7cba94efbc137e6f9eb1eb08d820f639e230023b5612b5fd4b6c62bef8bcbaa90c0f7932815188835af2a2a065fb1476c18cc6eb469487c9b177

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 e9e365607374115b92e4abe4b9628101
SHA1 d5054ea9b22317dca83801eb3586017bfcc0e2a8
SHA256 5cd2c4d9f13524923046198c92213691539407e04fa520cdae9eade1bad3d91d
SHA512 a84d65ed53e43883e5ecb7848fbd48f5305a63e6975e6af480cf85532879720061106be54f2a5888ebc3569f7123081a0e6eb48ccb8d7dba3e1da1c8a3c50401

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 fb664f97cca34a2ecbf0cab899f9dcd8
SHA1 49db7edbb8d963e5284f4e90309fb05032b22855
SHA256 a89bf84e6e519ebfbf3218760d37fc545081ffad07f04c27a0d63041f47522bd
SHA512 c560daed6741296c7dce916b5cdd14b4448452e678a9e6a787a14d9d45db1188000a4c98085c1ce4c0164c3d2c359af30b05c4a8c67f58b3f89bdf29dd7fa10e

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8dc1f88ae1fcedeb3983c5f5c3d486b0
SHA1 d40e67ba5558d90cb11eeca04d213322159336fc
SHA256 4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca
SHA512 0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8c20d9745afb54a1b59131314c15d61c
SHA1 1975f997e2db1e487c1caf570263a6a3ba135958
SHA256 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 81e9ffe1db96965eba045a73e4992ab3
SHA1 e9c275b950e278099b6f8935a016f1b66b35c90b
SHA256 ca8cc71e89189b69d2772db71a32e8f05540ab95e9729748d5854d41a04cd798
SHA512 bc2f5f5473683667a7536e70aaf2fa17b4cf8169e8a83ee0fcc47e48c523d2bc331f26df3c09b8ae77a4bf5eb2b2e142eb518f3929d03951b44cc46b615fd692

memory/3220-529-0x00000000008C0000-0x0000000000D87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000056001\redline1234.exe

MD5 916e4393feb15b2c5e18104e8e0ab037
SHA1 eed7a9c1e90a2b551ac34dc480bbdd01478fdb8b
SHA256 b2c016f44dfb87fe00ec82636ee7e393d32c066282a8728f8fc9ba5c354d24bb
SHA512 cad6ae6829fe0f1f7bffb66b3763d555e6f98602c96cee89adce3c38b1638090b4aecbeaa429cc4835be64e98f4bfcf842b7a12e5f49807e1075ce646412b4e4

C:\Users\Admin\AppData\Local\Temp\1000057001\mrk1234.exe

MD5 bf2a3e48b0ea897e1cb01f8e2d37a995
SHA1 4e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA512 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

C:\Users\Admin\AppData\Local\Temp\u5d4.0.exe

MD5 689278a1d1243ac5aa47715ad2e89c8f
SHA1 d3552fbf0cd683135d7b6405c9e62af3c14b06c7
SHA256 90b8b9f8527548c095fe5a40df3ace331b7a26540d2d80ea19688626f0420cf2
SHA512 60021f67ead3f02bf01d643a9ed1f926ed564de8b5dd749dce5bc93699b07414e800e36911fbda3e0bcc83ae068543981f61ea3a3f598fbf6e21185f5c4fe576

memory/7024-582-0x0000000000C70000-0x0000000001150000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\prefs-1.js

MD5 e897a953635555087b0a93d85b184884
SHA1 1a861cf4ada717844d1c7f69ab914bc1f4e937dd
SHA256 274aa89556491192ad52994d40952d1e680bd20364b7278a652ad1d1a9ac043f
SHA512 71541c1ee2422ec6e606a20fef8d943ceff10b36d68e527ece51f51318d37979fc27791dc4c9d36edf53e8454368c33e4c3930004db10f146346f4723e59fce2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/5928-617-0x0000000000400000-0x000000000048A000-memory.dmp

memory/5928-620-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000058001\alex.exe

MD5 7dcd7e330e6b1ff84fed1dbcc0aff3f3
SHA1 8568dd8d09702c8593d8505e05c775682cb0091d
SHA256 b575bcf00b96fbb768c503900c1e7720547a5c3f7a511ae75a314a3dd966a8e1
SHA512 9ed1ea00f9f81cfb0257611da46eb8082569accac30f8ca4af0000895b2f76d5bd83dc51b14ce5cacba5a33b3a92930f397d7a7b951556595c471f4be811619c

memory/6952-666-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u5d4.1.exe

MD5 c19108264b11ebf2bfd8446538a7562e
SHA1 85f1f624d21d6249f145c0945900e4d250df6fd2
SHA256 3e7dcc049eec901736db07529697949cb01748300497845ff46a91d15d3f6708
SHA512 04fac5460a07d8e0702482504c1ccb09ddff9b7ebac3e1375b60d5ca23b09bbccac8520695ce41a03829141f079de525fd162f89c72ca74b67e831e011cc20bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\285a561a-2719-4662-9664-1f9bdb2e3f25.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\1000059001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0e77c7d42d67c1845b2155578f69c8da
SHA1 9605cd7d9f135b81c4743ac1862b7e06020c8b5b
SHA256 6d439b6911c46f2625a533d2c3d557101da646007d6367409d0ff0913ba9ff20
SHA512 62990a132c2b3a2e268f3aa3575693191383730c7e3a3a4f639820317822ca90d13832cd2a3c11887a78f2c8b5814b5b1ba2fc525a672e69654f5d8a7774749b

memory/6448-725-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-716-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/2584-727-0x0000000000230000-0x00000000007EE000-memory.dmp

memory/6448-732-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-735-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/1800-733-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6448-741-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-750-0x0000000004F30000-0x00000000050D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 314908db9ca4a54e2822b2c6b4e5d2e7
SHA1 a004659665e73f86b651a1b24c57a3e79cb50968
SHA256 d7a70b18b6e5c4263dfabf9e791af9602a90d3849741924a5a3457edbd381942
SHA512 9c1e2852e7edc53fdc2005557493926c1a0adf1930ac412ab407bad81682616368676a2feec882b722ceab25a871fd9c7a5205346eda267107c6c2dd400a6373

memory/6448-757-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-768-0x0000000004F30000-0x00000000050D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000060001\1233213123213.exe

MD5 f65ef63c0284add38593dea3bc7f51fa
SHA1 77c1d9a253ba682be2064e2da8d8e1339feb6c7e
SHA256 1592b24b9898a92d5f10d816581bb033f121257bac4f1359401d78050fc78d28
SHA512 c15272d997c49b314498801388bbe05e2ba600b0ff439a41d3174f102304bccb6b64797f0b01d561b55f35700b4900ad41c3f3a6fde746d01b29e2ce4509e217

memory/6448-791-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/3220-819-0x00000000008C0000-0x0000000000D87000-memory.dmp

memory/6448-840-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-870-0x0000000004F30000-0x00000000050D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 c5c698cca1a90202ac910ef6667a9d99
SHA1 49550076e0e210e345aa89ed9a8522d7c6352fde
SHA256 921db7bc9f20c5ea1f38224ff96043be6e88b341f8d7226f147a98232e81e36b
SHA512 c5bf235f4063aaa03ccd1ae3277903c71c31860bab13e7ab201e6860b3f419bd18140e9ed47a4317004d27ea2a7078c4fa56f2ee6d5de77b04ccd47c46181d6d

memory/6448-890-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-895-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-901-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-904-0x0000000004F30000-0x00000000050D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000061001\55555.exe

MD5 77ad840de414b035d258815370d84b36
SHA1 3a56b10792a0813c833cf2bbd527c1f5002def09
SHA256 28c900ff2d853e7e16387ec858debc48bf469e0e60f3242f7cee24d6e2b7d780
SHA512 a045900389599c6cb5c62810a369a5ac3815cfe83c882b562a1af2ea1baa4c6a450553c554fde67488586da470b7d2b374d9d5a823cdd3eceaf43b69d1ba57fc

memory/6448-928-0x0000000004F30000-0x00000000050D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3370a12bf3d5fcfdacb58e5d9cca8d4c
SHA1 d5214d1038c8f1b2672f2d1dfd47ea95eaa67cc1
SHA256 7430b5fa88a2e49c6ef8bca9ab65378c7542f5975ae9a52c1baafcecbec1660a
SHA512 ee1b8a90fa005e4af6b283a89c86df9331e32d6133ddac05a3b761713fe2de6db228670eb17683d5a8db22296eada07249bf239b1b812782c4b263814a8027c0

memory/6448-942-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6448-946-0x0000000004F30000-0x00000000050D5000-memory.dmp

memory/6116-949-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 943e947b36178f9213a36666e06de3a3
SHA1 0262bcf373ad64075613356d515c5759c418c074
SHA256 d5281b56297e0ab41a744afff2d683f29f9b5c89bd6d959fde5d5f44a2e3f759
SHA512 a554ac0eafa3570fb148e6417fc2179eac64474e40de0c70fd840695e312ef4c14f95befc50f1c14863bde6c86c3bd5a2dcfbd3db8f7e30b3d9d7f620fd0878a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e9edc0d89bd311df5e9ddf78d8070489
SHA1 dee0ea885574252b0352548f1b4f9d86a6c32b22
SHA256 0e3b2cf074c2d31b7ba22d973dce1650b4b1f6a5aa26b0b9afa1ce27f8b30fe2
SHA512 66d3451fcfdb2a138a01c04cc08f72e0e8655cfe64160e644b18d0027a229d16d952cc66c8b9ee8da8f913b32f85c8e117b4dbbcf63fda62e7f98e8284b6b299

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f3d247bb1852b4d0e79fe879ec18b197
SHA1 ecd1cc18ede7d9d5c5d990666231e07e58ffeb85
SHA256 aa51601f4b22c4c437bcfd368eca16aa207c4578870e87e94a06bd929cb19f6a
SHA512 49e70147b0fd8d488686250ec33570a6c996501e225b0982b30c676f9828311eb66fab8c41c9a64b7fdc12418c049f6c8eb0ebab65110bc6ab97df386499cc03

memory/6116-1000-0x0000000000400000-0x0000000000647000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 830cbe5809a3680c0099b718298e3e43
SHA1 ebd66a13d4b2ca947e1826093b5eb3d93c4a889f
SHA256 f20110ffd1285e5ea20fa3578495ecec2c253b524b26aa09c0a60ee366e6be56
SHA512 098d78d0c8e2f585cf297f7373bf145fa832c1ed1afd94a73278cfe0578b42ff35a3da626df57680b8964cd5d2f30983afb7dce7877e10611d181e4148c105a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\prefs-1.js

MD5 c5d0ef5e7a81b5c3dfb802fa58a153fd
SHA1 76eb68a33b98b6db216c87b2cf3f4a96a401e99f
SHA256 e3061f14de0957357f225e5bdf88063aeac7fcdf9f65fc46a67e74f7bb3b0206
SHA512 5f63547d80b389428f57c885661e3691b58299aef8757c8e244266a8ca1f617afb22fd2062ae5bca189812d3c30defe61bb6f148bbafdd3940ed3f055449620f

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 b71f57850111323ec9ea2629cfc85ad4
SHA1 f4f8d7faa89f23958c884e4db95071c0fdde15a7
SHA256 8c2aaac5714c5efb43378650ea1cbc92e67c7f38da3e3acd8ad089e6e7406aa0
SHA512 b6e9e16fad1586eb0ff47757d518bbb34e5b0c9c2570772a394ee7af572741f71c49449a8ccfe2c5e2f529a321dd436e17b5bbb1cf8a3667d26af112334bc8ae

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 a905cb72065331374715b852df06e350
SHA1 88f4c4b4ba4d7eb41b940f2dffeefdc7f5d66080
SHA256 b35afe4e3a003bbbf9a6ace5484ca124b8021d295da260597780f37eb381526d
SHA512 bbf6e3296a94778c15762e81fc110e2a32c0e5cd3147df0e7100e1638a4868029e74cc7eea88c9b52342800fdd3eaa1fc784480863b4bc6f7152de023e5ecea8

memory/7024-977-0x0000000000C70000-0x0000000001150000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b6f66baa8221c20ff1f4e6d28584e487
SHA1 f7cec4f24d051e0bca99c552323215eb9601dc1d
SHA256 4588368ae087ccdeaa9295013ffcd075550bc0fc77f914a7827d10d98afd7415
SHA512 31798651613b2bd1b842bafbacd7176eaeda99572168b68408d7b9ab2ccaf7101bf8fad5c618d95024e5f9e3119d5cb16e0284be1e794b703f4a13df45240156

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 08dae0152cdf38dc671417594687b1ea
SHA1 b8b3c247073cf9facfe7e0a51cb82e9763a1d658
SHA256 5557ca17c7a57777d418e0383ea2bd9e54f19d9b04f5948314a75b082e78ddf0
SHA512 dc89b771c6e2431b65f83ea424bb431411eaa1f2b2d255e0f1ee699830a248b265818efde4861c42d5832a33cbcd8ecfc398a10bc73487363865faac80567df6

memory/3304-889-0x0000000006FF0000-0x000000000704E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 19e5168ff8dbc2ec66ad41d6ba6ea5d0
SHA1 5e898346a45b195116fb42f0f95c353da17d4241
SHA256 a8a7d9e422778a500f5172f73e5f917710da6679b0b2712f5a67ea604f61d3ac
SHA512 6b40df729e67e5f654b5edee8885da04dea6f43ee1c709ddbcd69a3fce4987af8f98471b9e6ad8d7cf6b25331cac55da33c30b87f9576dd07b858905536fb10e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4858ef550c655da5b2f5001844f9836d
SHA1 4e536a59e264886d48cbc1f5a91fbf3920006abe
SHA256 24378672156fe03288fae4e42ebcd6e6291381379f0aaf7468f91410d1fab777
SHA512 6c3f9a304b22a0671a78736497cc15dcf619548b38be6b4491f18fb864f2cc6f44a32c1333799212fdb76e85f06573a14881369e94c2f1104a8437ef9620adec

memory/6448-818-0x0000000004F30000-0x00000000050D5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 caec1d64b4b1d4d921271b9c23b52445
SHA1 e48f9a9f0d033f0468fb9b208ac4424de7a9f69a
SHA256 dff317adaca9bd35870d4d9924bf89deb07f041774b4a5608179c1bd849aa2ca
SHA512 1a43aac12d0cb20824b890fffb800fad257d5c6a8a05d5931d150b9fec2ab29980043d49f9231dcc25b3cd65838882bdee8bac3db6476e34bd438a29b9b848dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\ProgramData\mozglue.dll

MD5 9a0887daaf726ead0835081aee2051f5
SHA1 fa4bab008ed2952e2b0f56ae43dd0e70c55b8ba3
SHA256 e670609be3cffc625f5183a8882b2b5293c901b84da31148f3c67d0f387026d6
SHA512 780e60d978fde1c7690488f1028807cc7d95c8ac432650265f7e8622a1e5b18e91a28306e88336812d0eb1554fe8a722dd26cde7633f5674e0764748734ed64d

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 05:20

Reported

2024-02-06 05:23

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe

"C:\Users\Admin\AppData\Local\Temp\335b17fdc989824126298877bed8804d.exe"

Network

N/A

Files

memory/2936-0-0x0000000000A40000-0x0000000000F07000-memory.dmp

memory/2936-1-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/2936-2-0x0000000000A40000-0x0000000000F07000-memory.dmp

memory/2936-13-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2936-14-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2936-12-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2936-11-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2936-10-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/2936-9-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/2936-8-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2936-7-0x0000000000530000-0x0000000000531000-memory.dmp

memory/2936-6-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2936-5-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/2936-4-0x0000000002370000-0x0000000002371000-memory.dmp

memory/2936-3-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2936-15-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2936-16-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2936-18-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2936-19-0x0000000002810000-0x0000000002811000-memory.dmp

memory/2936-23-0x0000000000A40000-0x0000000000F07000-memory.dmp