Malware Analysis Report

2025-04-14 05:17

Sample ID 230928-bsvjlsge76
Target 45306699921e8d28a63dfe17c4519a07.bin
SHA256 55758b840cb41addf5d3749b47138ae08e1dc10dbed51a4496eba031234a39a3
Tags
dcrat djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor bootkit discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx privateloader themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55758b840cb41addf5d3749b47138ae08e1dc10dbed51a4496eba031234a39a3

Threat Level: Known bad

The file 45306699921e8d28a63dfe17c4519a07.bin was found to be: Known bad.

Malicious Activity Summary

dcrat djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor bootkit discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx privateloader themida

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Detected Djvu ransomware

Glupteba payload

Glupteba

Fabookie

Detect Fabookie payload

DcRat

Djvu Ransomware

SmokeLoader

Windows security bypass

PrivateLoader

RedLine

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Modifies file permissions

Windows security modification

Loads dropped DLL

Themida packer

Drops startup file

Checks BIOS information in registry

UPX packed file

Adds Run key to start application

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Enumerates system info in registry

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-28 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-28 01:24

Reported

2023-09-28 01:27

Platform

win7-20230831-en

Max time kernel

121s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d1408f72-d63b-4f62-bafc-3976036d1a0f\\89AC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9283.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\9283.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9283.exe = "0" C:\Users\Admin\AppData\Local\Temp\9283.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Pictures\ThDwcxTdco3k2gxH65pU0Y6f.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IeRqzigbgQqxSjnh3CRoYL50.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VDOOdOTBPP8SOdHVzh5aj3Go.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aEDWuglvDsLYXHEG0gPLd3ap.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1izRpdp4SKzKmz5MQzKkxJj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sfIjooHsr8AfC8H11z0px8u1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rvErj0x3S8NOPcATXq51Ufvq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsKIctUO6W6vjLHSTn93YIme.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GF4WMvANpHkyMlCyaeFiX0AW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tRHMb7k3FwKd5esl6xm1Y9ra.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9f4dTWk5kie0Niu30J9Lo3MH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8047.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8190.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8047.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9283.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8047.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Users\Admin\Pictures\3D4TXhxYVbJBGxS5pKoYK2xo.exe N/A
N/A N/A C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe N/A
N/A N/A C:\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe N/A
N/A N/A C:\Users\Admin\Pictures\zvnfhCbU9ez0KVKq6A51ZA6Q.exe N/A
N/A N/A C:\Users\Admin\Pictures\QuXJ78vzHAbp9x5MuB8J0CFP.exe N/A
N/A N/A C:\Users\Admin\Pictures\GJOk1SJyyXwC42qVXHJMVon7.exe N/A
N/A N/A C:\Users\Admin\Pictures\iao9VxIklpDqYNuyaLZDwpV2.exe N/A
N/A N/A C:\Users\Admin\Pictures\dX2JWp4J1JwOnUbOG6TWUkE3.exe N/A
N/A N/A C:\Users\Admin\Pictures\ThDwcxTdco3k2gxH65pU0Y6f.exe N/A
N/A N/A C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS705F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D2LL4.tmp\is-5QPJH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8047.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B39B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8047.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8047.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\Pictures\QuXJ78vzHAbp9x5MuB8J0CFP.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe N/A
N/A N/A C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe N/A
N/A N/A C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe N/A
N/A N/A C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe N/A
N/A N/A C:\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS705F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS705F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS705F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS705F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D2LL4.tmp\is-5QPJH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D2LL4.tmp\is-5QPJH.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D2LL4.tmp\is-5QPJH.tmp N/A
N/A N/A C:\Users\Admin\Pictures\QuXJ78vzHAbp9x5MuB8J0CFP.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\9283.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\9283.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9283.exe = "0" C:\Users\Admin\AppData\Local\Temp\9283.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d1408f72-d63b-4f62-bafc-3976036d1a0f\\89AC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\89AC.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9283.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9283.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20230928012643.cab C:\Windows\system32\makecab.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\8190.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\dX2JWp4J1JwOnUbOG6TWUkE3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 1332 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1284 wrote to memory of 1332 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1284 wrote to memory of 1332 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1284 wrote to memory of 1332 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1284 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8190.exe
PID 1284 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8190.exe
PID 1284 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8190.exe
PID 1284 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8190.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1284 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1284 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1284 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1284 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1284 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\SysWOW64\WerFault.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\SysWOW64\WerFault.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\SysWOW64\WerFault.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\8190.exe C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2764 wrote to memory of 2664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1284 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89AC.exe
PID 1284 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89AC.exe
PID 1284 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89AC.exe
PID 1284 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\89AC.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe
PID 1332 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8047.exe C:\Users\Admin\AppData\Local\Temp\8047.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9283.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe"

C:\Users\Admin\AppData\Local\Temp\8047.exe

C:\Users\Admin\AppData\Local\Temp\8047.exe

C:\Users\Admin\AppData\Local\Temp\8190.exe

C:\Users\Admin\AppData\Local\Temp\8190.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 140

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\869F.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\869F.dll

C:\Users\Admin\AppData\Local\Temp\89AC.exe

C:\Users\Admin\AppData\Local\Temp\89AC.exe

C:\Users\Admin\AppData\Local\Temp\8047.exe

C:\Users\Admin\AppData\Local\Temp\8047.exe

C:\Users\Admin\AppData\Local\Temp\9283.exe

C:\Users\Admin\AppData\Local\Temp\9283.exe

C:\Users\Admin\AppData\Local\Temp\89AC.exe

C:\Users\Admin\AppData\Local\Temp\89AC.exe

C:\Users\Admin\AppData\Local\Temp\B39B.exe

C:\Users\Admin\AppData\Local\Temp\B39B.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d1408f72-d63b-4f62-bafc-3976036d1a0f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8047.exe

"C:\Users\Admin\AppData\Local\Temp\8047.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\89AC.exe

"C:\Users\Admin\AppData\Local\Temp\89AC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9283.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\3D4TXhxYVbJBGxS5pKoYK2xo.exe

"C:\Users\Admin\Pictures\3D4TXhxYVbJBGxS5pKoYK2xo.exe"

C:\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe

"C:\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe"

C:\Users\Admin\Pictures\GJOk1SJyyXwC42qVXHJMVon7.exe

"C:\Users\Admin\Pictures\GJOk1SJyyXwC42qVXHJMVon7.exe"

C:\Users\Admin\Pictures\zvnfhCbU9ez0KVKq6A51ZA6Q.exe

"C:\Users\Admin\Pictures\zvnfhCbU9ez0KVKq6A51ZA6Q.exe"

C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe

"C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe" /s

C:\Users\Admin\Pictures\QuXJ78vzHAbp9x5MuB8J0CFP.exe

"C:\Users\Admin\Pictures\QuXJ78vzHAbp9x5MuB8J0CFP.exe" --silent --allusers=0

C:\Users\Admin\Pictures\iao9VxIklpDqYNuyaLZDwpV2.exe

"C:\Users\Admin\Pictures\iao9VxIklpDqYNuyaLZDwpV2.exe"

C:\Users\Admin\Pictures\dX2JWp4J1JwOnUbOG6TWUkE3.exe

"C:\Users\Admin\Pictures\dX2JWp4J1JwOnUbOG6TWUkE3.exe"

C:\Users\Admin\Pictures\ThDwcxTdco3k2gxH65pU0Y6f.exe

"C:\Users\Admin\Pictures\ThDwcxTdco3k2gxH65pU0Y6f.exe"

C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe

"C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe"

C:\Users\Admin\AppData\Local\Temp\7zS705F.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\is-D2LL4.tmp\is-5QPJH.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D2LL4.tmp\is-5QPJH.tmp" /SL4 $201D8 "C:\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe" 2831567 52224

C:\Users\Admin\AppData\Local\Temp\7zS72EF.tmp\Install.exe

.\Install.exe /jdidsrAf "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkKQCnhCk" /SC once /ST 00:10:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkKQCnhCk"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230928012643.log C:\Windows\Logs\CBS\CbsPersist_20230928012643.cab

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\system32\taskeng.exe

taskeng.exe {6CC854EB-380B-4A26-A20B-593BF1A8AAFB} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkKQCnhCk"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 apps.identrust.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
PL 146.59.10.173:45035 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 new.drivelikea.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 lycheepanel.info udp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
US 172.67.216.81:443 flyawayaero.net tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 188.114.97.0:80 jetpackdelivery.net tcp
US 8.8.8.8:53 galandskiyher3.com udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 int.down.360safe.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 asiatohome.com udp
DE 148.251.234.93:443 iplogger.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
DE 62.171.175.57:443 asiatohome.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 potatogoose.com udp
DE 148.251.234.93:443 yip.su tcp
US 172.67.180.173:443 potatogoose.com tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
DE 148.251.234.93:443 yip.su tcp
DE 148.251.234.93:443 yip.su tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 st.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 148.251.234.93:443 yip.su tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 148.251.234.93:443 yip.su tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 iup.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 sd.p.360safe.com udp
NL 52.222.137.147:80 sd.p.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
US 8.8.8.8:53 iplogger.com udp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp

Files

memory/2240-1-0x0000000002640000-0x0000000002740000-memory.dmp

memory/2240-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2240-3-0x0000000000400000-0x0000000002599000-memory.dmp

memory/1284-4-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/2240-5-0x0000000000400000-0x0000000002599000-memory.dmp

memory/2240-8-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

C:\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

C:\Users\Admin\AppData\Local\Temp\8190.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

C:\Users\Admin\AppData\Local\Temp\8190.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

memory/840-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-26-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-30-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-32-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/840-28-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-35-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\869F.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

\Users\Admin\AppData\Local\Temp\8190.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

\Users\Admin\AppData\Local\Temp\8190.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

\Users\Admin\AppData\Local\Temp\8190.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

\Users\Admin\AppData\Local\Temp\869F.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

C:\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2664-49-0x0000000010000000-0x00000000102A9000-memory.dmp

memory/2664-50-0x00000000001A0000-0x00000000001A6000-memory.dmp

memory/1332-52-0x0000000001C60000-0x0000000001CF1000-memory.dmp

memory/1332-53-0x0000000001DF0000-0x0000000001F0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

memory/2996-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9283.exe

MD5 e95e666035b3787ea98b894253e608a6
SHA1 0579d7cdfe626702634322376d84ad43227760af
SHA256 ab4cdb60909f34d673fc6bc261a54910d21ecc68ba5f591ebe5da372aca2df62
SHA512 cc4841e47282f2969e700c3fe8a0710b9be64b49cb0d6b951b597a482fde7fd065a15cfb30b71d272a6dc659de2ba27c4a9cc46994fa3413f91e5ff3419ade5c

memory/2996-66-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9283.exe

MD5 e95e666035b3787ea98b894253e608a6
SHA1 0579d7cdfe626702634322376d84ad43227760af
SHA256 ab4cdb60909f34d673fc6bc261a54910d21ecc68ba5f591ebe5da372aca2df62
SHA512 cc4841e47282f2969e700c3fe8a0710b9be64b49cb0d6b951b597a482fde7fd065a15cfb30b71d272a6dc659de2ba27c4a9cc46994fa3413f91e5ff3419ade5c

memory/1332-67-0x0000000001C60000-0x0000000001CF1000-memory.dmp

memory/2996-59-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

memory/3008-68-0x0000000000120000-0x00000000001E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\8190.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2816-74-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2576-77-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2816-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-79-0x0000000001D30000-0x0000000001E4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAE78.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/3008-94-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2996-96-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2116-103-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2116-104-0x0000000000E90000-0x0000000001524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B39B.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\B39B.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\TarC140.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0e17c8aadbe890f5a0850118c5cbf2c
SHA1 2b60b1d61d5bc0174d6af45f50f5a9330a4f13ac
SHA256 b4f142d353a9d5fbbc345079defeb1e1c7b57cc56d915ab15c10fc5f2c708d6b
SHA512 7b5fc80a5e48caa2e89786e6f0a1ff66f7410f6b772244163f8219c242d762045d04fbf64afbd75dc75e1c66beca0a29992592b52ff119e1a77f3aa91c03951c

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2412-132-0x00000000FF370000-0x00000000FF412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/296-149-0x0000000002680000-0x0000000002780000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1164-161-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/848-170-0x0000000000EE0000-0x0000000001054000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/848-171-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2348-172-0x00000000043D0000-0x00000000047C8000-memory.dmp

memory/3008-167-0x0000000073490000-0x0000000073B7E000-memory.dmp

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1164-152-0x0000000000400000-0x0000000000409000-memory.dmp

memory/296-150-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1164-148-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2116-174-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/3008-175-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/2348-177-0x00000000043D0000-0x00000000047C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/848-194-0x0000000073490000-0x0000000073B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2664-195-0x0000000001EB0000-0x0000000001FAE000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2348-183-0x00000000047D0000-0x00000000050BB000-memory.dmp

memory/2024-191-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/560-197-0x0000000000820000-0x0000000000828000-memory.dmp

memory/2664-196-0x0000000002360000-0x0000000002444000-memory.dmp

memory/2664-200-0x0000000002360000-0x0000000002444000-memory.dmp

memory/2664-201-0x0000000002360000-0x0000000002444000-memory.dmp

memory/1164-203-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2116-207-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/1284-202-0x0000000003AA0000-0x0000000003AB6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 948cebce3ef0720521f43f6dd0a84c0d
SHA1 88dbb4c3126f1d592cdd76d3cb26299d9c953f80
SHA256 6e14cbfa714ad640467a20d3bcbc3c14a1f0ffb771a6de4906383033b0b87dec
SHA512 113c3443fd021265b9935a390c7b4aed15d6bb5a072251fd4d9a0ef73be543c07934526195a6d151b4df07446796ffe99682818484d1c89d3d05f66742228fa8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c55c74608b70d052ad7cd02226cb1efa
SHA1 21db21eaf034a57db8eb36b5000b14a0f789def8
SHA256 87f9ff52f0d4495f16e26ab94ad7d50f7444365a60f31df79b4a1b388cf7e326
SHA512 99554877b0f5af41abf4acf184b7eb10bad27314be6106dcab184914b009ffb461709b567a83142f4351442c4e53562e1927bb31ddcbc193f78d94c6bab2284b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 2ff1ef1fa09659115846bbb39efb2357
SHA1 83b0b4188141e2651a96d6a9756f79e87305fef1
SHA256 eba368ac0a27812a414dbe4ea5c66ef521e99e0cfeccfdabb24527d7a46a94d2
SHA512 0cd6d0e272809f4533acffb7e0d18160e69a563f2e9740da5f0b4d294f61930b6ff7868c645f05dbb643cb457a68e78cc0f9e36a152abf21c4d4eedaf3f94bb3

memory/840-244-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

memory/2996-247-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-248-0x00000000047D0000-0x0000000004882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8047.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

memory/560-254-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

memory/2816-255-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2598db97135fc46248362041fb3bef17
SHA1 2a32d9f1d14d8cbb443ac89aefd570d2471ca492
SHA256 a8d54dae5f94d992a2c698fc3eee82d06b4978d4b31b04faf9f5735bdf674617
SHA512 2b319b6ae8f114e53c7efc1ded21f19c8886a662bd323e81bae10c281f963c143b1bddf52099af97dcd9b633dc3f1bc2baec06aa5b77e7a0165951c8020fa1cc

C:\Users\Admin\AppData\Local\d1408f72-d63b-4f62-bafc-3976036d1a0f\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/3008-252-0x0000000000610000-0x000000000062A000-memory.dmp

memory/2348-257-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2816-266-0x0000000000400000-0x0000000000537000-memory.dmp

memory/840-249-0x0000000000330000-0x0000000000336000-memory.dmp

memory/560-276-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/840-277-0x0000000073490000-0x0000000073B7E000-memory.dmp

\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\89AC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2816-290-0x0000000000400000-0x0000000000537000-memory.dmp

memory/840-329-0x0000000000BC0000-0x0000000000C00000-memory.dmp

memory/2400-330-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-332-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-334-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-335-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/2400-338-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2412-339-0x0000000003140000-0x00000000032B1000-memory.dmp

memory/2412-340-0x0000000002640000-0x0000000002771000-memory.dmp

memory/3008-341-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2348-343-0x00000000043D0000-0x00000000047C8000-memory.dmp

memory/2348-346-0x00000000047D0000-0x00000000050BB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77fea397a9762fd5b4e708f303b2da8c
SHA1 55a07e1db56149cbfbcb73919de94214605826da
SHA256 b41411460a98a80876c2951145ff230244034dd50f545182a5ca63c83195ab7a
SHA512 f336fc6c8172152c73e881d6a8120f341f5e126d43d7b1bcecdc427361067c53be657babbc4e27ffa582095ff309ff9718a1a60c98b36f4faa518c969ce22d46

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd94c4251a3f7891c69f03560a002ac2
SHA1 79bccfa13b1c40745bf9b60a6c91760297960f2c
SHA256 a0feb392fb401513ced396bf112c11a53f706a2f960a5c71cc96581f44218ae2
SHA512 b2deee69bf1ca780d0b40cf11dddf95ed7ea0e103464b299bc421e6db234ec219164191f6bdabf1293e05480d8c2baa15639e024030109307a2d0d898d7b18d4

memory/560-440-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

memory/560-456-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/840-457-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2348-458-0x0000000000400000-0x0000000002985000-memory.dmp

\Users\Admin\Pictures\3D4TXhxYVbJBGxS5pKoYK2xo.exe

MD5 e0161e980efaee7b82ce3546ef48a76f
SHA1 73c9b60263be18ae819786b2c6d796dd663a8c0f
SHA256 5feebee9788da70968f066685c1a0470cc96e023897a17a0c322c6463112a9d3
SHA512 188abc3ab8a0b51f4bcd751d720bc2680546d9b4cac012520aa3d29cbda97a8258a9a3ab2085f9bac2e6e0036e6b5ac3fa4ae173be53c60ebbe9240c6b83ce03

\Users\Admin\Pictures\3D4TXhxYVbJBGxS5pKoYK2xo.exe

MD5 e0161e980efaee7b82ce3546ef48a76f
SHA1 73c9b60263be18ae819786b2c6d796dd663a8c0f
SHA256 5feebee9788da70968f066685c1a0470cc96e023897a17a0c322c6463112a9d3
SHA512 188abc3ab8a0b51f4bcd751d720bc2680546d9b4cac012520aa3d29cbda97a8258a9a3ab2085f9bac2e6e0036e6b5ac3fa4ae173be53c60ebbe9240c6b83ce03

C:\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Users\Admin\Pictures\3D4TXhxYVbJBGxS5pKoYK2xo.exe

MD5 e0161e980efaee7b82ce3546ef48a76f
SHA1 73c9b60263be18ae819786b2c6d796dd663a8c0f
SHA256 5feebee9788da70968f066685c1a0470cc96e023897a17a0c322c6463112a9d3
SHA512 188abc3ab8a0b51f4bcd751d720bc2680546d9b4cac012520aa3d29cbda97a8258a9a3ab2085f9bac2e6e0036e6b5ac3fa4ae173be53c60ebbe9240c6b83ce03

\Users\Admin\Pictures\TOymcpmP3x7MwYH0WMIjCiLF.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe

MD5 30cfa36532ab1aa666661ccac88d489a
SHA1 6228ca40335550548c588d2a14570c751c891d3b
SHA256 c11436d08c9119d9f0f73dac3d63a2269fb3d83f880f4551a45d61e9e86c9ffd
SHA512 7204075fae94387e168e94b6c33d0cea43265427ca23bc55bea463e55936b77b036d0bda1ef3dfe362d5681b8709c6c047be5214a25a2116a32a7bba61d2f682

memory/2400-485-0x000000000B030000-0x000000000B565000-memory.dmp

C:\Users\Admin\Pictures\ni6UIujfe0EFsjqa8ILrfLMg.exe

MD5 30cfa36532ab1aa666661ccac88d489a
SHA1 6228ca40335550548c588d2a14570c751c891d3b
SHA256 c11436d08c9119d9f0f73dac3d63a2269fb3d83f880f4551a45d61e9e86c9ffd
SHA512 7204075fae94387e168e94b6c33d0cea43265427ca23bc55bea463e55936b77b036d0bda1ef3dfe362d5681b8709c6c047be5214a25a2116a32a7bba61d2f682

C:\Users\Admin\Pictures\zvnfhCbU9ez0KVKq6A51ZA6Q.exe

MD5 a976fdf934c2f1e6b6a472c3dcec6d81
SHA1 cfcdf22d8baf05fe7c74cdf9d2d6a61648906a7c
SHA256 a9e91d1b0e29b52134446106e399c2e9352aa9e2030b9be7ae254c92c1a25bc2
SHA512 e05cfef5b01657bc7f29d4cfc6f43652668c3e4f9f8149b6a579653a8b8a59fe6b09fd7c8fa7aab165d738385dc0d9991b6e0d3ebdd34116bd8f7c15d7769267

C:\Users\Admin\Pictures\QuXJ78vzHAbp9x5MuB8J0CFP.exe

MD5 28dc7c29374a14999282785a12a36897
SHA1 abfab2496fad31e9af55a963493611a8c3e0d053
SHA256 93c1844ce635ef17bbc2c972f96d246ba9ac4d739c5df70a61e82abb41338f1b
SHA512 f07c14bfc8657fd08f9429aaeae354b1eb48b82d0a2ca5300ab0354216d19f052f5ba1187e9db0061f972379a0ba1e2ac657f6d16f01e16f9154836eae5d60d4

memory/840-493-0x0000000000BC0000-0x0000000000C00000-memory.dmp

memory/2884-500-0x0000000000A80000-0x0000000000FB5000-memory.dmp

C:\Users\Admin\Pictures\GJOk1SJyyXwC42qVXHJMVon7.exe

MD5 24e3bff785f567b35b1b713d3cbd3ecf
SHA1 1ca640d1af355b2a9d0c38eee921a47423a57353
SHA256 e5c81c38d5bff97dcb6edfd293bce8f92b37be60138bee6d1f68858b7ebef54e
SHA512 38e9a8620758a8d171533e3ef9fbe9aff14e8b00073732ec8825eb4e79dfd7856d6264096f4590f7ba68962d6409f4aa0d8e79dead70fb0b955d8bd5db6b25ae

memory/2400-519-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2412-525-0x0000000002640000-0x0000000002771000-memory.dmp

memory/380-527-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\dX2JWp4J1JwOnUbOG6TWUkE3.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\XYs9lBIZ23tYeEgc9GmeNUpL.exe

MD5 d5d91bfc8f17c3c7acd8a9bcf83c7890
SHA1 ed277a3dab0dfb45f01a600fdbf6fd01c372ae0e
SHA256 4317eeb8c1adcad41eeb9aac0eca3ebf079cf7f2fe9473dddd049b9ff9d11c7b
SHA512 071a672efc190cc782647ff4a8ce1cd41442723ea050a2e3ff4f84fbb3ed45c07be1555ce43ab1f33f6a187b21d85f76f8bedb30e3141e96e8284c22db9a1b49

memory/1560-549-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/2864-550-0x00000000FF4C0000-0x00000000FF562000-memory.dmp

memory/1560-553-0x00000000001B0000-0x00000000004CC000-memory.dmp

memory/112-570-0x000000006B9A0000-0x000000006BF4B000-memory.dmp

memory/112-571-0x000000006B9A0000-0x000000006BF4B000-memory.dmp

memory/2400-572-0x000000000B030000-0x000000000B565000-memory.dmp

memory/112-574-0x0000000002670000-0x00000000026B0000-memory.dmp

memory/1076-575-0x0000000002040000-0x00000000026E2000-memory.dmp

memory/2884-576-0x0000000000A80000-0x0000000000FB5000-memory.dmp

memory/1228-579-0x0000000001590000-0x0000000001C32000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\284MM98Y4DYJK0EIODFK.temp

MD5 e1d836827f4a96144e1fe3e52b83f6f7
SHA1 0759c13a6e6ec90eef46346374adecd5f64cae50
SHA256 75cf72f6dd3bc88a23b01533b66f1fc5a11e138ccd1fef1014fc2691ded30ed0
SHA512 37e7ebf2179acd2ffcbe608a9942fdcd4dd67f909f02d81b938f3e2c875bd0d9516aa012bbca0883ddba018be8f926883c5677efa605a0651a89e48c5a6ae115

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 13701b5f47799e064b1ddeb18bce96d9
SHA1 1807f0c2ae8a72a823f0fdb0a2c3401a6e89a095
SHA256 a34a5bbba3330c67d8bef87a9888f6d25faf554254a1b2b40ffdaf2ce07b81aa
SHA512 c247ee79649e6467d0e50e8380ada70df8f809016b460ebe5570bfa6c6181284181231bf94c4e5288982741e343c4cf8af735351e7bb38469b0546ef237c30bf

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 4881eb0e1607cfc7dbedc665c4dd36c7
SHA1 b27952f43ad10360b2e5810c029dec0bc932b9c0
SHA256 eb59b5a0fcba7d2e2e1692da1fa0ca61c4bf15e118a1cc52f366c0fc61d6983e
SHA512 8b2e138ed14789f67b75ba1c0483255cd6706319025ca073d38178b856986d0c5288ba18c449da6310ec7828627dd410a0b356580a1f98f9dd53c506bf929a3a

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\360TS_Setup.exe

MD5 aa753772f4d51365a5fdad4bcbb4ac7f
SHA1 3c5748d7e20b503cdf2f3e014376909a495affab
SHA256 9a993fd5c9fe54834181331474d46f67432227f566ea3ef6601a45bf9f71234e
SHA512 fe7895256fb2e83b5b62facf363ac940546f902aab5ad1b29d653ea08715ea4792d3f23afc059b059c0932a2e58d43144de1f7fdc3e54c2447de28a46f5f89b3

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-28 01:24

Reported

2023-09-28 01:27

Platform

win10v2004-20230915-en

Max time kernel

28s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3996 set thread context of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EE39.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED3E.exe
PID 668 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED3E.exe
PID 668 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED3E.exe
PID 668 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe
PID 668 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe
PID 668 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe
PID 668 wrote to memory of 4144 N/A N/A C:\Windows\system32\regsvr32.exe
PID 668 wrote to memory of 4144 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4144 wrote to memory of 5052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4144 wrote to memory of 5052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4144 wrote to memory of 5052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 668 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1F4.exe
PID 668 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1F4.exe
PID 668 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1F4.exe
PID 3996 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 668 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\F486.exe
PID 668 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\F486.exe
PID 668 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\F486.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3996 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\EE39.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 668 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\10A.exe
PID 668 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\10A.exe
PID 668 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\10A.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef.exe"

C:\Users\Admin\AppData\Local\Temp\ED3E.exe

C:\Users\Admin\AppData\Local\Temp\ED3E.exe

C:\Users\Admin\AppData\Local\Temp\EE39.exe

C:\Users\Admin\AppData\Local\Temp\EE39.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F0BB.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F0BB.dll

C:\Users\Admin\AppData\Local\Temp\F1F4.exe

C:\Users\Admin\AppData\Local\Temp\F1F4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\F486.exe

C:\Users\Admin\AppData\Local\Temp\F486.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 152

C:\Users\Admin\AppData\Local\Temp\10A.exe

C:\Users\Admin\AppData\Local\Temp\10A.exe

C:\Users\Admin\AppData\Local\Temp\948.exe

C:\Users\Admin\AppData\Local\Temp\948.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F486.exe" -Force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-H48Q8.tmp\is-MMQHO.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H48Q8.tmp\is-MMQHO.tmp" /SL4 $110040 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\Pictures\diBYAqD9UjPwIL12ecJhH1BL.exe

"C:\Users\Admin\Pictures\diBYAqD9UjPwIL12ecJhH1BL.exe"

C:\Users\Admin\Pictures\0CNRMYKzZ9Qo0KpOPY6CkdNS.exe

"C:\Users\Admin\Pictures\0CNRMYKzZ9Qo0KpOPY6CkdNS.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Users\Admin\AppData\Local\Temp\is-CD1E3.tmp\0CNRMYKzZ9Qo0KpOPY6CkdNS.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CD1E3.tmp\0CNRMYKzZ9Qo0KpOPY6CkdNS.tmp" /SL5="$100042,4692544,832512,C:\Users\Admin\Pictures\0CNRMYKzZ9Qo0KpOPY6CkdNS.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PvIQM8vUWiNsjQzvRAKBO5KU.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PvIQM8vUWiNsjQzvRAKBO5KU.exe" --version

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Users\Admin\Pictures\vgO4Oqs96NxUjKr9QWkZtRrO.exe

"C:\Users\Admin\Pictures\vgO4Oqs96NxUjKr9QWkZtRrO.exe"

C:\Users\Admin\AppData\Roaming\gisribc

C:\Users\Admin\AppData\Roaming\gisribc

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=102.0.4880.70 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x2f4,0x6bbc3600,0x6bbc3610,0x6bbc361c

C:\Users\Admin\AppData\Local\Temp\7zS4BAA.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\is-B3M24.tmp\is-I7LIO.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B3M24.tmp\is-I7LIO.tmp" /SL4 $E014C "C:\Users\Admin\Pictures\9u6cVwYTboThL6eYvMzIXTjT.exe" 2831567 52224

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\Pictures\kvzQoi5BMqBf28WU1OB6oLTX.exe

"C:\Users\Admin\Pictures\kvzQoi5BMqBf28WU1OB6oLTX.exe"

C:\Users\Admin\Pictures\ckKLau4CotD2QRDtQuOv7qqt.exe

"C:\Users\Admin\Pictures\ckKLau4CotD2QRDtQuOv7qqt.exe"

C:\Users\Admin\Pictures\kH4Rm9b2NrwcDNBMtmFQnvaL.exe

"C:\Users\Admin\Pictures\kH4Rm9b2NrwcDNBMtmFQnvaL.exe"

C:\Users\Admin\Pictures\9u6cVwYTboThL6eYvMzIXTjT.exe

"C:\Users\Admin\Pictures\9u6cVwYTboThL6eYvMzIXTjT.exe"

C:\Users\Admin\Pictures\qHkPAFlC3wla03hiWlCTGx43.exe

"C:\Users\Admin\Pictures\qHkPAFlC3wla03hiWlCTGx43.exe"

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

"C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe" --silent --allusers=0

C:\Users\Admin\Pictures\aYrpGnv0MuBK7gHmIuUrE8Z9.exe

"C:\Users\Admin\Pictures\aYrpGnv0MuBK7gHmIuUrE8Z9.exe" /s

C:\Users\Admin\AppData\Local\Temp\7zS5186.tmp\Install.exe

.\Install.exe /jdidsrAf "385118" /S

C:\Users\Admin\AppData\Local\Temp\is-7N0BV.tmp\_isetup\_setup64.tmp

helper 105 0x450

C:\Users\Admin\Pictures\kWN9RPY1deKyPt4xn9Yfn0Fk.exe

"C:\Users\Admin\Pictures\kWN9RPY1deKyPt4xn9Yfn0Fk.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files (x86)\OSJMount\OSJMount.exe

"C:\Program Files (x86)\OSJMount\OSJMount.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 27

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

"C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5096 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230915072030" --session-guid=d0bc2381-0bca-49f0-ac1d-2f00e9231487 --server-tracking-blob=OTk4OTMwZjU4NGZmNzBkODU2OGY1NjUxMTlmMDhjNzcwYzlkZWZhMGIzMzUxMmMyODgxMGNhMjQxNzFjYjIzMjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NTg2NDMzOS45Mzk4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI1NGZjN2NjZS03YWI3LTQ5ZTYtODg1ZC1lYTE2NjJkODk3NTkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C05000000000000

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=102.0.4880.70 --initial-client-data=0x2e4,0x2f4,0x2f8,0x2c0,0x2fc,0x69f23600,0x69f23610,0x69f2361c

C:\Program Files (x86)\OSJMount\OSJMount.exe

"C:\Program Files (x86)\OSJMount\OSJMount.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 27

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXUKgpdvq" /SC once /ST 02:48:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Users\Admin\Pictures\360TS_Setup.exe

"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.InstallRox.CPI202211 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gXUKgpdvq"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Program Files (x86)\1694762477_0\360TS_Setup.exe

"C:\Program Files (x86)\1694762477_0\360TS_Setup.exe" /c:WW.InstallRox.CPI202211 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gXUKgpdvq"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bdkeAfOUqXcBUVgRoj" /SC once /ST 07:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ZROLVEdkIdnjbwOtm\JeUBztuMMvAFKOJ\PhqzeBw.exe\" 03 /pCsite_idfCk 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x44e8a0,0x44e8b0,0x44e8bc

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 104.21.93.225:443 flyawayaero.net tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 188.114.97.0:80 jetpackdelivery.net tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 8.8.8.8:53 new.drivelikea.com udp
US 188.114.97.0:443 new.drivelikea.com tcp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 galandskiyher3.com udp
US 104.21.32.208:443 lycheepanel.info tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 194.169.175.127:80 galandskiyher3.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 asiatohome.com udp
DE 62.171.175.57:443 asiatohome.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 116.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 57.175.171.62.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 170.25.221.88.in-addr.arpa udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 int.down.360safe.com udp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
NL 52.222.137.147:80 sd.p.360safe.com tcp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
US 8.8.8.8:53 18.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 43.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 9.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
US 8.8.8.8:53 147.137.222.52.in-addr.arpa udp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
BG 193.42.32.118:80 193.42.32.118 tcp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 api.myip.com udp
NL 185.26.182.122:443 download.opera.com tcp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 118.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 download3.operacdn.com udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
NL 88.221.24.120:443 download3.operacdn.com tcp
US 188.114.96.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 120.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 194.225.186.93.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
BG 193.42.32.118:80 193.42.32.118 tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
DE 52.29.179.141:80 s.360safe.com tcp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 orion.ts.360.com udp
NL 82.145.215.156:443 orion.ts.360.com tcp
US 8.8.8.8:53 156.215.145.82.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
CA 159.203.50.188:7001 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 188.50.203.159.in-addr.arpa udp

Files

memory/2840-1-0x00000000027C0000-0x00000000028C0000-memory.dmp

memory/2840-2-0x0000000000400000-0x0000000002599000-memory.dmp

memory/2840-3-0x0000000002740000-0x0000000002749000-memory.dmp

memory/668-4-0x0000000000660000-0x0000000000676000-memory.dmp

memory/2840-5-0x0000000000400000-0x0000000002599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED3E.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

C:\Users\Admin\AppData\Local\Temp\ED3E.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

C:\Users\Admin\AppData\Local\Temp\EE39.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

C:\Users\Admin\AppData\Local\Temp\EE39.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

C:\Users\Admin\AppData\Local\Temp\F0BB.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

C:\Users\Admin\AppData\Local\Temp\F1F4.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\F1F4.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\F0BB.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

memory/5052-27-0x0000000000E90000-0x0000000000E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F486.exe

MD5 e95e666035b3787ea98b894253e608a6
SHA1 0579d7cdfe626702634322376d84ad43227760af
SHA256 ab4cdb60909f34d673fc6bc261a54910d21ecc68ba5f591ebe5da372aca2df62
SHA512 cc4841e47282f2969e700c3fe8a0710b9be64b49cb0d6b951b597a482fde7fd065a15cfb30b71d272a6dc659de2ba27c4a9cc46994fa3413f91e5ff3419ade5c

memory/512-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2252-34-0x0000000073F60000-0x0000000074710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F486.exe

MD5 e95e666035b3787ea98b894253e608a6
SHA1 0579d7cdfe626702634322376d84ad43227760af
SHA256 ab4cdb60909f34d673fc6bc261a54910d21ecc68ba5f591ebe5da372aca2df62
SHA512 cc4841e47282f2969e700c3fe8a0710b9be64b49cb0d6b951b597a482fde7fd065a15cfb30b71d272a6dc659de2ba27c4a9cc46994fa3413f91e5ff3419ade5c

memory/5052-29-0x0000000010000000-0x00000000102A9000-memory.dmp

memory/2252-37-0x0000000000A60000-0x0000000000B22000-memory.dmp

memory/512-36-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/512-35-0x0000000002A30000-0x0000000002A36000-memory.dmp

memory/2252-38-0x0000000005450000-0x00000000054EC000-memory.dmp

memory/2252-39-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/2252-40-0x00000000054F0000-0x0000000005582000-memory.dmp

memory/512-41-0x00000000059E0000-0x0000000005FF8000-memory.dmp

memory/2252-45-0x0000000005400000-0x000000000540A000-memory.dmp

memory/512-42-0x00000000054D0000-0x00000000055DA000-memory.dmp

memory/512-44-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/512-48-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/2252-43-0x0000000005660000-0x0000000005670000-memory.dmp

memory/512-49-0x0000000005400000-0x000000000543C000-memory.dmp

memory/2252-52-0x0000000005760000-0x0000000005812000-memory.dmp

memory/512-54-0x0000000005440000-0x000000000548C000-memory.dmp

memory/1788-53-0x00000000002B0000-0x0000000000944000-memory.dmp

memory/2252-56-0x0000000005600000-0x000000000561A000-memory.dmp

memory/1788-55-0x0000000073F60000-0x0000000074710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10A.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\10A.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\948.exe

MD5 9e6969580b72dba6fd25b569e7ae4c09
SHA1 f74042ea21b9291d7fec480cabf1cd173b9ee27b
SHA256 551e9ee4fa8868ec696902669379a978a92cea6ec086043ca2266e0f78fe485d
SHA512 6d23fa12e42564e4f9267ebaad1f1d897941cf233c0bb6468641a7c4e97785d2f8cc885cbf7b38debb61274071c3124378bb68003d2e993a2144203f85f40846

C:\Users\Admin\AppData\Local\Temp\948.exe

MD5 9e6969580b72dba6fd25b569e7ae4c09
SHA1 f74042ea21b9291d7fec480cabf1cd173b9ee27b
SHA256 551e9ee4fa8868ec696902669379a978a92cea6ec086043ca2266e0f78fe485d
SHA512 6d23fa12e42564e4f9267ebaad1f1d897941cf233c0bb6468641a7c4e97785d2f8cc885cbf7b38debb61274071c3124378bb68003d2e993a2144203f85f40846

memory/2824-66-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2824-80-0x0000000005740000-0x0000000005750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1296-82-0x00007FF70DBB0000-0x00007FF70DC52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2252-72-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/4376-88-0x0000000002630000-0x0000000002730000-memory.dmp

memory/3168-96-0x0000000002C00000-0x0000000002C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/3168-101-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/720-103-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/5012-121-0x00000000005F0000-0x0000000000764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1788-124-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/3168-126-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/720-125-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2816-127-0x0000000004AF0000-0x00000000053DB000-memory.dmp

memory/5012-122-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2816-129-0x00000000045F0000-0x00000000049EC000-memory.dmp

memory/512-128-0x0000000005710000-0x0000000005786000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/512-130-0x0000000006000000-0x0000000006066000-memory.dmp

memory/3168-108-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/3168-107-0x0000000005800000-0x0000000005E28000-memory.dmp

memory/2816-140-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/668-154-0x00000000026F0000-0x0000000002706000-memory.dmp

memory/1724-143-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/512-104-0x0000000073F60000-0x0000000074710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/4376-98-0x00000000025E0000-0x00000000025E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2824-71-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/1724-164-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pkxgt1mj.4ha.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/3168-185-0x0000000005770000-0x0000000005792000-memory.dmp

memory/3168-190-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/64-192-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/512-191-0x00000000053B0000-0x00000000053C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H48Q8.tmp\is-MMQHO.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-H48Q8.tmp\is-MMQHO.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/5012-210-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/64-217-0x00007FFD27240000-0x00007FFD27D01000-memory.dmp

C:\Users\Admin\Pictures\kWN9RPY1deKyPt4xn9Yfn0Fk.exe

MD5 a1e3d69810e55d924bf8ac091235110c
SHA1 1e200e3485a706cccd366a0587610a82193d435c
SHA256 bf8092550afdf596dd95e8c38bc93b2fe7244dcac48fb2b95a2e1487c45cd9aa
SHA512 d2a4d7e18d91e4732d949a85b055ae3e2b6d675aff525967d63edd904a42b37bfe264ebe20e88ba0d2a19421657743e91ca84a31660dccc7fe7ea837f76463b0

memory/512-287-0x0000000006740000-0x0000000006902000-memory.dmp

C:\Users\Admin\Pictures\diBYAqD9UjPwIL12ecJhH1BL.exe

MD5 e0161e980efaee7b82ce3546ef48a76f
SHA1 73c9b60263be18ae819786b2c6d796dd663a8c0f
SHA256 5feebee9788da70968f066685c1a0470cc96e023897a17a0c322c6463112a9d3
SHA512 188abc3ab8a0b51f4bcd751d720bc2680546d9b4cac012520aa3d29cbda97a8258a9a3ab2085f9bac2e6e0036e6b5ac3fa4ae173be53c60ebbe9240c6b83ce03

C:\Users\Admin\Pictures\diBYAqD9UjPwIL12ecJhH1BL.exe

MD5 e0161e980efaee7b82ce3546ef48a76f
SHA1 73c9b60263be18ae819786b2c6d796dd663a8c0f
SHA256 5feebee9788da70968f066685c1a0470cc96e023897a17a0c322c6463112a9d3
SHA512 188abc3ab8a0b51f4bcd751d720bc2680546d9b4cac012520aa3d29cbda97a8258a9a3ab2085f9bac2e6e0036e6b5ac3fa4ae173be53c60ebbe9240c6b83ce03

memory/512-321-0x0000000008C70000-0x000000000919C000-memory.dmp

C:\Users\Admin\Pictures\aYrpGnv0MuBK7gHmIuUrE8Z9.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\Pictures\kvzQoi5BMqBf28WU1OB6oLTX.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1344-363-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2708-372-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/1724-381-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7A0287F882E4FB5DB3569281562B042A

MD5 bfd32523cae1f183532a9db80f50988f
SHA1 fe2c0e5c9c71d9e8e0b98f3ad54983420e05dfb8
SHA256 4f3e1c1b433a0340dfff4bfdd93bc84516502c51130d720ee9c742b8a1322b7a
SHA512 4620cbaceaa8eeee133b8ba54c492abe3f244b21628e3d4457d91d2cf35d9e7fcd692ba33b1eb7941d04abee111354947aeb8c88b7ef1ae62360a84cff101a5d

memory/4416-403-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7A0287F882E4FB5DB3569281562B042A

MD5 306314865aeb80380ad739207a3c45aa
SHA1 1f7dc4a2fdc7404f96c9708875d55eccd1016ce8
SHA256 254ada572dbc295e2968c4a936c1091aabd1a322f500781d5165515f577044a1
SHA512 bb366fd26884a3e2bd998253ac74969cc33302e5ebae181a13d48f4d8d14d6c920b700409bdf623777772121ece46d6bdffeaa3ce00a16a53b45f5a4a2c1297c

memory/1832-406-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4164-405-0x0000000000040000-0x0000000000575000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 2ca6c5d2902a1de89ccba72dcd748ec1
SHA1 f8c675756d6bca174b3e32efd49d1abdf6b9799c
SHA256 161e3ea11e6bd8253c28acfc9968c2f0142e74ab2caba4c80d0870d79e4310db
SHA512 6c20415b5dfd6d5a0796e49ed72e55f609820f4d252408da1911f3927593bf15e951c47d07bd2bb47382827c96858ef0cb30ab7a8dc0c53040786d899fab07e5

memory/5096-398-0x0000000000040000-0x0000000000575000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GAFBU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-GAFBU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-GAFBU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1344-387-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2309150720023194164.dll

MD5 39446fcc81de22345867c2723e398e24
SHA1 914b41ac8271bacc6d4787806ac50484b82e1b6e
SHA256 bcb5a1be5090134f312f16b869eaac5547d014aaaddd8f9546e1f07423b5b338
SHA512 34c550ce866751c7cb4947cb71beaa82a316785c4153ffbfabcb3a8b3f080293eb8731f90f7f9f2a955e32922bd88ff3e963e4076fbee8c98b8106ddd1d17453

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

MD5 6b537a4c93da49f84fc6aad9ba750a73
SHA1 56febe87340c3555c2b47337ee6df64013eb4b8a
SHA256 2d02e1adbd4d6f51beca5ddc77b5b1a4247d247a2f21ee4f1015ac3523c4b620
SHA512 9553dab11e1b40c6d108f49fc5f37e5d507481edb325ac9d7042ddd4940ed07dccbb0414447ff8430f47af698981e42bd3a31d6c5fdc267a2efc710295cc60c0

C:\Users\Admin\AppData\Local\Temp\7zS4BAA.tmp\Install.exe

MD5 e5b02e57567f8765f39ad4087443af4f
SHA1 61e14d7b8069415af673486e2f1f6da38f0dc45d
SHA256 91ef912e61a57bbb8a8d145e3aa8c2b3614d7bff5fd3366cd54a339b9cb46355
SHA512 0cadd01d00976dd053b95055e82504e331fc7b2f658c6d726f94b6ffe7b93b70786cc8775e2969638bc11e9387901de13d92d91407e98d08d129766a9d25ebca

C:\Users\Admin\AppData\Local\Temp\7zS4BAA.tmp\Install.exe

MD5 e5b02e57567f8765f39ad4087443af4f
SHA1 61e14d7b8069415af673486e2f1f6da38f0dc45d
SHA256 91ef912e61a57bbb8a8d145e3aa8c2b3614d7bff5fd3366cd54a339b9cb46355
SHA512 0cadd01d00976dd053b95055e82504e331fc7b2f658c6d726f94b6ffe7b93b70786cc8775e2969638bc11e9387901de13d92d91407e98d08d129766a9d25ebca

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Temp\is-B3M24.tmp\is-I7LIO.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\AppData\Local\Temp\is-B3M24.tmp\is-I7LIO.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\Pictures\vgO4Oqs96NxUjKr9QWkZtRrO.exe

MD5 380b17feab2c2dc51b7940a95295678e
SHA1 d39bb6eabdf04e535737f77ef838f5ad6bdb4b6a
SHA256 aa3d40c34d88ebc024f798e3e5a720e6cd7f6f447cdfbbead1f0c5bba72d4312
SHA512 728c01575152a1b8637bba1db1078e3c66e8631351c18ec55c4356e26af1fcd16b5d9698058e4247b7e43c5090f173b19d81664b1c60b03b6e98cb3f6a278c3e

memory/2708-362-0x0000000000820000-0x0000000000B3C000-memory.dmp

C:\Users\Admin\Pictures\0CNRMYKzZ9Qo0KpOPY6CkdNS.exe

MD5 3e74b7359f603f61b92cf7df47073d4a
SHA1 c6155f69a35f3baff84322b30550eee58b7dcff3
SHA256 f783c71bcb9e1fb5c91dbe78899537244467dbfd0262491fa4bc607e27013cf6
SHA512 4ab9c603a928c52b757231f6f43c109ecce7fc04aa85cdf2c6597c5ae920316bf1d082aae153fe11f78cb45ca420de9026a9f4c16dd031239d29a1abb807ce05

C:\Users\Admin\Pictures\aYrpGnv0MuBK7gHmIuUrE8Z9.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Users\Admin\Pictures\ckKLau4CotD2QRDtQuOv7qqt.exe

MD5 d5d91bfc8f17c3c7acd8a9bcf83c7890
SHA1 ed277a3dab0dfb45f01a600fdbf6fd01c372ae0e
SHA256 4317eeb8c1adcad41eeb9aac0eca3ebf079cf7f2fe9473dddd049b9ff9d11c7b
SHA512 071a672efc190cc782647ff4a8ce1cd41442723ea050a2e3ff4f84fbb3ed45c07be1555ce43ab1f33f6a187b21d85f76f8bedb30e3141e96e8284c22db9a1b49

C:\Users\Admin\Pictures\ckKLau4CotD2QRDtQuOv7qqt.exe

MD5 d5d91bfc8f17c3c7acd8a9bcf83c7890
SHA1 ed277a3dab0dfb45f01a600fdbf6fd01c372ae0e
SHA256 4317eeb8c1adcad41eeb9aac0eca3ebf079cf7f2fe9473dddd049b9ff9d11c7b
SHA512 071a672efc190cc782647ff4a8ce1cd41442723ea050a2e3ff4f84fbb3ed45c07be1555ce43ab1f33f6a187b21d85f76f8bedb30e3141e96e8284c22db9a1b49

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2309150719598035096.dll

MD5 39446fcc81de22345867c2723e398e24
SHA1 914b41ac8271bacc6d4787806ac50484b82e1b6e
SHA256 bcb5a1be5090134f312f16b869eaac5547d014aaaddd8f9546e1f07423b5b338
SHA512 34c550ce866751c7cb4947cb71beaa82a316785c4153ffbfabcb3a8b3f080293eb8731f90f7f9f2a955e32922bd88ff3e963e4076fbee8c98b8106ddd1d17453

C:\Users\Admin\Pictures\kH4Rm9b2NrwcDNBMtmFQnvaL.exe

MD5 24e3bff785f567b35b1b713d3cbd3ecf
SHA1 1ca640d1af355b2a9d0c38eee921a47423a57353
SHA256 e5c81c38d5bff97dcb6edfd293bce8f92b37be60138bee6d1f68858b7ebef54e
SHA512 38e9a8620758a8d171533e3ef9fbe9aff14e8b00073732ec8825eb4e79dfd7856d6264096f4590f7ba68962d6409f4aa0d8e79dead70fb0b955d8bd5db6b25ae

C:\Users\Admin\Pictures\kH4Rm9b2NrwcDNBMtmFQnvaL.exe

MD5 24e3bff785f567b35b1b713d3cbd3ecf
SHA1 1ca640d1af355b2a9d0c38eee921a47423a57353
SHA256 e5c81c38d5bff97dcb6edfd293bce8f92b37be60138bee6d1f68858b7ebef54e
SHA512 38e9a8620758a8d171533e3ef9fbe9aff14e8b00073732ec8825eb4e79dfd7856d6264096f4590f7ba68962d6409f4aa0d8e79dead70fb0b955d8bd5db6b25ae

memory/4004-322-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4416-320-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\0CNRMYKzZ9Qo0KpOPY6CkdNS.exe

MD5 3e74b7359f603f61b92cf7df47073d4a
SHA1 c6155f69a35f3baff84322b30550eee58b7dcff3
SHA256 f783c71bcb9e1fb5c91dbe78899537244467dbfd0262491fa4bc607e27013cf6
SHA512 4ab9c603a928c52b757231f6f43c109ecce7fc04aa85cdf2c6597c5ae920316bf1d082aae153fe11f78cb45ca420de9026a9f4c16dd031239d29a1abb807ce05

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

MD5 6b537a4c93da49f84fc6aad9ba750a73
SHA1 56febe87340c3555c2b47337ee6df64013eb4b8a
SHA256 2d02e1adbd4d6f51beca5ddc77b5b1a4247d247a2f21ee4f1015ac3523c4b620
SHA512 9553dab11e1b40c6d108f49fc5f37e5d507481edb325ac9d7042ddd4940ed07dccbb0414447ff8430f47af698981e42bd3a31d6c5fdc267a2efc710295cc60c0

C:\Users\Admin\Pictures\qHkPAFlC3wla03hiWlCTGx43.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\9u6cVwYTboThL6eYvMzIXTjT.exe

MD5 8de42b4b671b90c4f265da6feee2d982
SHA1 2a5cab6b3e8b3bee725af6ce8741debe9aa0fc49
SHA256 cdd2c21b37c7e5b34823eff79ffec414d910e84a7a475f648d02de0c1bc84147
SHA512 786eb81245f5dbca762f60b03bda7078c04c6e763e5bf20f5ee35289a0286e427048c9b40095f833da08ed9587daa6988fd1ac4c74891e23a71e7635bbc19cd7

C:\Users\Admin\Pictures\9u6cVwYTboThL6eYvMzIXTjT.exe

MD5 8de42b4b671b90c4f265da6feee2d982
SHA1 2a5cab6b3e8b3bee725af6ce8741debe9aa0fc49
SHA256 cdd2c21b37c7e5b34823eff79ffec414d910e84a7a475f648d02de0c1bc84147
SHA512 786eb81245f5dbca762f60b03bda7078c04c6e763e5bf20f5ee35289a0286e427048c9b40095f833da08ed9587daa6988fd1ac4c74891e23a71e7635bbc19cd7

C:\Users\Admin\Pictures\ckKLau4CotD2QRDtQuOv7qqt.exe

MD5 d5d91bfc8f17c3c7acd8a9bcf83c7890
SHA1 ed277a3dab0dfb45f01a600fdbf6fd01c372ae0e
SHA256 4317eeb8c1adcad41eeb9aac0eca3ebf079cf7f2fe9473dddd049b9ff9d11c7b
SHA512 071a672efc190cc782647ff4a8ce1cd41442723ea050a2e3ff4f84fbb3ed45c07be1555ce43ab1f33f6a187b21d85f76f8bedb30e3141e96e8284c22db9a1b49

C:\Users\Admin\Pictures\qHkPAFlC3wla03hiWlCTGx43.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2816-256-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\Pictures\kvzQoi5BMqBf28WU1OB6oLTX.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\is-MSQKI.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-MSQKI.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-MSQKI.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\Pictures\aYrpGnv0MuBK7gHmIuUrE8Z9.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Users\Admin\Pictures\mHkGYXzQMnngmFU3NXUqdwuY.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/5168-419-0x00007FF628650000-0x00007FF629469000-memory.dmp

C:\Users\Admin\Pictures\kWN9RPY1deKyPt4xn9Yfn0Fk.exe

MD5 a1e3d69810e55d924bf8ac091235110c
SHA1 1e200e3485a706cccd366a0587610a82193d435c
SHA256 bf8092550afdf596dd95e8c38bc93b2fe7244dcac48fb2b95a2e1487c45cd9aa
SHA512 d2a4d7e18d91e4732d949a85b055ae3e2b6d675aff525967d63edd904a42b37bfe264ebe20e88ba0d2a19421657743e91ca84a31660dccc7fe7ea837f76463b0

C:\Users\Admin\Pictures\0CNRMYKzZ9Qo0KpOPY6CkdNS.exe

MD5 3e74b7359f603f61b92cf7df47073d4a
SHA1 c6155f69a35f3baff84322b30550eee58b7dcff3
SHA256 f783c71bcb9e1fb5c91dbe78899537244467dbfd0262491fa4bc607e27013cf6
SHA512 4ab9c603a928c52b757231f6f43c109ecce7fc04aa85cdf2c6597c5ae920316bf1d082aae153fe11f78cb45ca420de9026a9f4c16dd031239d29a1abb807ce05

C:\Users\Admin\Pictures\9u6cVwYTboThL6eYvMzIXTjT.exe

MD5 8de42b4b671b90c4f265da6feee2d982
SHA1 2a5cab6b3e8b3bee725af6ce8741debe9aa0fc49
SHA256 cdd2c21b37c7e5b34823eff79ffec414d910e84a7a475f648d02de0c1bc84147
SHA512 786eb81245f5dbca762f60b03bda7078c04c6e763e5bf20f5ee35289a0286e427048c9b40095f833da08ed9587daa6988fd1ac4c74891e23a71e7635bbc19cd7

C:\Users\Admin\Pictures\PvIQM8vUWiNsjQzvRAKBO5KU.exe

MD5 6b537a4c93da49f84fc6aad9ba750a73
SHA1 56febe87340c3555c2b47337ee6df64013eb4b8a
SHA256 2d02e1adbd4d6f51beca5ddc77b5b1a4247d247a2f21ee4f1015ac3523c4b620
SHA512 9553dab11e1b40c6d108f49fc5f37e5d507481edb325ac9d7042ddd4940ed07dccbb0414447ff8430f47af698981e42bd3a31d6c5fdc267a2efc710295cc60c0

C:\Users\Admin\Pictures\kH4Rm9b2NrwcDNBMtmFQnvaL.exe

MD5 24e3bff785f567b35b1b713d3cbd3ecf
SHA1 1ca640d1af355b2a9d0c38eee921a47423a57353
SHA256 e5c81c38d5bff97dcb6edfd293bce8f92b37be60138bee6d1f68858b7ebef54e
SHA512 38e9a8620758a8d171533e3ef9fbe9aff14e8b00073732ec8825eb4e79dfd7856d6264096f4590f7ba68962d6409f4aa0d8e79dead70fb0b955d8bd5db6b25ae

C:\Users\Admin\Pictures\qHkPAFlC3wla03hiWlCTGx43.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\diBYAqD9UjPwIL12ecJhH1BL.exe

MD5 e0161e980efaee7b82ce3546ef48a76f
SHA1 73c9b60263be18ae819786b2c6d796dd663a8c0f
SHA256 5feebee9788da70968f066685c1a0470cc96e023897a17a0c322c6463112a9d3
SHA512 188abc3ab8a0b51f4bcd751d720bc2680546d9b4cac012520aa3d29cbda97a8258a9a3ab2085f9bac2e6e0036e6b5ac3fa4ae173be53c60ebbe9240c6b83ce03

memory/3168-199-0x00000000060B0000-0x0000000006404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/720-167-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4416-440-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4004-434-0x0000000000400000-0x0000000000413000-memory.dmp

memory/956-452-0x00007FF7DC9F0000-0x00007FF7DCF33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2309150720142415472.dll

MD5 39446fcc81de22345867c2723e398e24
SHA1 914b41ac8271bacc6d4787806ac50484b82e1b6e
SHA256 bcb5a1be5090134f312f16b869eaac5547d014aaaddd8f9546e1f07423b5b338
SHA512 34c550ce866751c7cb4947cb71beaa82a316785c4153ffbfabcb3a8b3f080293eb8731f90f7f9f2a955e32922bd88ff3e963e4076fbee8c98b8106ddd1d17453

memory/2296-472-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/5472-458-0x0000000000BF0000-0x0000000001125000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 13701b5f47799e064b1ddeb18bce96d9
SHA1 1807f0c2ae8a72a823f0fdb0a2c3401a6e89a095
SHA256 a34a5bbba3330c67d8bef87a9888f6d25faf554254a1b2b40ffdaf2ce07b81aa
SHA512 c247ee79649e6467d0e50e8380ada70df8f809016b460ebe5570bfa6c6181284181231bf94c4e5288982741e343c4cf8af735351e7bb38469b0546ef237c30bf

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 4881eb0e1607cfc7dbedc665c4dd36c7
SHA1 b27952f43ad10360b2e5810c029dec0bc932b9c0
SHA256 eb59b5a0fcba7d2e2e1692da1fa0ca61c4bf15e118a1cc52f366c0fc61d6983e
SHA512 8b2e138ed14789f67b75ba1c0483255cd6706319025ca073d38178b856986d0c5288ba18c449da6310ec7828627dd410a0b356580a1f98f9dd53c506bf929a3a

memory/5916-487-0x0000000000400000-0x0000000000635000-memory.dmp

memory/3168-499-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/5300-500-0x0000000000400000-0x000000000071C000-memory.dmp

memory/5168-503-0x00007FF628650000-0x00007FF629469000-memory.dmp

memory/5916-506-0x0000000000400000-0x0000000000635000-memory.dmp

memory/5608-505-0x0000000010000000-0x0000000010583000-memory.dmp

memory/5168-512-0x00007FF628650000-0x00007FF629469000-memory.dmp

memory/2816-508-0x0000000000400000-0x0000000002985000-memory.dmp

memory/5168-516-0x00007FF628650000-0x00007FF629469000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 84c69a1bd22c3f5719fc729cce33276a
SHA1 825d2592a80e0764065d9e8e619092daaa518c1f
SHA256 aede8075d903726d6624d2bb80429a8d4ceebbe0e7b68ac04a25becce42d21fd
SHA512 2dc90d89ad553b964d206fa0140b59803ea4d6f1c6176b26fd64630d9ada505d3ea3e525eb384516eaaf41cc8290605d545797a2d48b30df392634d46dae4187

memory/5168-526-0x00007FF628650000-0x00007FF629469000-memory.dmp

memory/5168-537-0x00007FF628650000-0x00007FF629469000-memory.dmp

memory/5168-543-0x00007FF628650000-0x00007FF629469000-memory.dmp

memory/5052-548-0x0000000000BD0000-0x0000000000CCE000-memory.dmp

memory/668-545-0x0000000003D20000-0x0000000003D36000-memory.dmp

memory/956-547-0x00007FF7DC9F0000-0x00007FF7DCF33000-memory.dmp

memory/5168-546-0x00007FF628650000-0x00007FF629469000-memory.dmp

memory/512-554-0x00000000011A0000-0x00000000011F0000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/512-574-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/5300-577-0x00000000008F0000-0x00000000008F1000-memory.dmp

C:\Users\Admin\Pictures\360TS_Setup.exe

MD5 46def370ac2b168bd143b71a0db07aa0
SHA1 b038f29ce0ad320f6452abe6e791d28ce98dd377
SHA256 433440e00f6975f1034c29a03dec8c5272d8c2ee7f6bb9807236af9f91e00963
SHA512 63577c434bd442864882e658d2701086b94418bafca4f1c5c22e73d2c9a4c4e552a9da0eda2e97ab977f3a5697abdfd3c53b3e43e605989d6b9cb783ee203aa5

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 93ee86cc086263a367933d1811ac66aa
SHA1 73c2d6ce5dd23501cc6f7bb64b08304f930d443d
SHA256 4de2f896ff1ff1c64d813cad08b92c633be586141d2d5c24099ae2ae4194bece
SHA512 d980e01e3f6a262016f3335a2d127f6efa6a73fe166f4f36355e439cbb2098d624e63ecd0ee8be8575b3aeefb0b1e9bc8e0552d65c4e611bff9f7f119c186c5a

C:\Users\Admin\AppData\Local\Temp\1694762474_00000000_base\360base.dll

MD5 8c42fc725106cf8276e625b4f97861bc
SHA1 9c4140730cb031c29fc63e17e1504693d0f21c13
SHA256 d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22
SHA512 f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

C:\Users\Admin\AppData\Local\Temp\{2E7032B6-6DAC-4b0d-99F1-C95A0E3EBDD0}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\opera_package

MD5 ac74577133cb40d0ac0fd59d30210206
SHA1 e674dd30f8c007c3b56db4dfccda5437f10a8755
SHA256 fe10263b2f5eda333a0d456101bf2822da2cf7481918925e0b36422d60688c3e
SHA512 c64caa7a3c576c1fd8c25717fe2e92a31b1b80b083b37fe1081994ad8c282377d16403474d75d87fafd96eaefcd8a1425657493f41a66dd2e5fcd6cb318947e4

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202309150720301\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\it\safemon\wd.ini

MD5 bbcd2bd46f45a882a56d4ea27e6aca88
SHA1 69ec4e9df7648feff4905af2651abff6f6f9cc00
SHA256 dfe29bbd5fa9d1a9aac3efbef341ef02a44fcdf5b826cfa1fdd646bf27fa6655
SHA512 0619a5e55e479da2085602a91d7077ada2892e345a080adcb759fbcf9c51e1d1d07f362c02218ce880ad7858c9c262432b13979a2ff0ba4122a492479c748dd3

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\ipc\360ipc.dat

MD5 ea5fdb65ac0c5623205da135de97bc2a
SHA1 9ca553ad347c29b6bf909256046dd7ee0ecdfe37
SHA256 0ba4355035fb69665598886cb35359ab4b07260032ba6651a9c1fcea2285726d
SHA512 bb9123069670ac10d478ba3aed6b6587af0f077d38ca1e2f341742eaf642a6605862d3d4dbf687eb7cb261643cf8c95be3fba1bfa0ee691e8e1ed17cc487b11e

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\ipc\360netd.dat

MD5 d89ff5c92b29c77500f96b9490ea8367
SHA1 08dd1a3231f2d6396ba73c2c4438390d748ac098
SHA256 3b5837689b4339077ed90cfeb937d3765dda9bc8a6371d25c640dfcee296090a
SHA512 88206a195cd3098b46eec2c8368ddc1f90c86998d7f6a8d8ec1e57ae201bc5939b6fe6551b205647e20e9a2d144abd68f64b75edd721342861acb3e12450060d

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\ipc\360netr.dat

MD5 db5227079d3ca5b34f11649805faae4f
SHA1 de042c40919e4ae3ac905db6f105e1c3f352fb92
SHA256 912102c07fcabe6d8a018de20b2ad97ea5f775dcb383cd3376168b7ebf8f9238
SHA512 519ab81d0c3391f88050e5d7a2e839913c45c68f26dabad34c06c461ddb84c781bf7224e4d093462c475700e706eef562d1210cee3dba00a985d8dadbf165c5c

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\ipc\appmon.dat

MD5 9a6ba86a05fa29b2060add92e29f74c2
SHA1 eb0f407816d001283ce8e35a46702506232e4659
SHA256 1acdbe9ac338df8714ad24110c651932a29a6c1fdf8bda40d8351aa025694f8b
SHA512 fb3aea6ce2cbc624bb2f8952eed26c263a99a6fbe1b7ed6bea6581984728918655bf1643d2f4fe77a4e7e472b97cf68bbe73d20220a01e27f91e6d48e029a2d3

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\it\safemon\bp.dat

MD5 1b5647c53eadf0a73580d8a74d2c0cb7
SHA1 92fb45ae87f0c0965125bf124a5564e3c54e7adb
SHA256 d81e7765dacef70a07c2d77e3ab1c953abd4c8b0c74f53df04c3ee4adf192106
SHA512 439738f2cdd0024e4d4f0da9668714fd369fb939424e865a29fc78725459b98c3f8ac746c65e7d338073374ab695c58d52b86aea72865496cd4b20fcd1aa9295

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\fr\deepscan\art.dat

MD5 0297d7f82403de0bb5cef53c35a1eba1
SHA1 e94e31dcd5c4b1ff78df86dbef7cd4e992b5d8a8
SHA256 81adb709eec2dfb3e7b261e3e279adf33de00e4d9729f217662142f591657374
SHA512 ce8983e3af798f336e34343168a14dc04e4be933542254ce14ff755d5eb2bcb6e745eda488bc24be2b323119006cf0bdb392c7b48558ca30f7f2e170a061a75e

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\safemon\drvmon.dat

MD5 c2a0ebc24b6df35aed305f680e48021f
SHA1 7542a9d0d47908636d893788f1e592e23bb23f47
SHA256 5ee31b5ada283f63ac19f79b3c3efc9f9e351182fcabf47ffccdd96060bfa2cf
SHA512 ea83e770ad03b8f9925654770c5fd7baf2592d6d0dd5b22970f38b0a690dfd7cb135988548547e62cca5f09cb737224bbb8f2c15fe3b9b02b996c319f6e271ed

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\hi\deepscan\dsconz.dat

MD5 f76cd5b5dbcccd3a21df516e6eb814ed
SHA1 5d62c1c3caea405a4ddd0b891d06e41deabcb8ae
SHA256 75f44e910966a657f96eceb5ca734d4cf919f76aae3f862cac2674c533e40c3b
SHA512 edd26a0202b3bb46177d09c322693d67efec8cedd6c285645191cdfbc92299ea3b193fab3de5e39107a5d57e98e144c9c728d544c24020ad43729b72d38a394c

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\fr\deepscan\dsr.dat

MD5 504461531300efd4f029c41a83f8df1d
SHA1 2466e76730121d154c913f76941b7f42ee73c7ae
SHA256 4649eedc3bafd98c562d4d1710f44de19e8e93e3638bc1566e1da63d90cb04ad
SHA512 f7dd16173120dbfe2dabeab0c171d7d5868fd3107f13c2967183582fd23fd96c7eeca8107463a4084ad9f8560cd6447c35dc18b331fd3f748521518ac8e46632

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\deepscan\dsurls.dat

MD5 69d457234e76bc479f8cc854ccadc21e
SHA1 7f129438445bb1bde6b5489ec518cc8f6c80281b
SHA256 b0355da8317155646eba806991c248185cb830fe5817562c50af71d297f269ee
SHA512 200de0ffce7294266491811c6c29c870a5bc21cdf29aa626fc7a41d24faf1bfe054920bd8862784feaba75ba866b8ab5fd65df4df1e3968f78795ab1f4ad0d23

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\ipc\filemon.dat

MD5 bfed06980072d6f12d4d1e848be0eb49
SHA1 bb5dd7aa1b6e4242b307ea7fabac7bc666a84e3d
SHA256 b065e3e3440e1c83d6a4704acddf33e69b111aad51f6d4194d6abc160eccfdc2
SHA512 62908dd2335303da5ab41054d3278fe613ed9031f955215f892f0c2bb520ce1d26543fa53c75ce5da4e4ecf07fd47d4795fafbdb6673fac767b37a4fa7412d08

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\libdefa.dat

MD5 aeb5fab98799915b7e8a7ff244545ac9
SHA1 49df429015a7086b3fb6bb4a16c72531b13db45f
SHA256 19fa3cbec353223c9e376b7e06f050cc27b3c12d255fdcb5c36342fa3febbec4
SHA512 2d98ed2e9c26a61eb2f1a7beb8bd005eb4d3d0dac297c93faaf61928a05fb1c6343bb7a6b2c073c6520c81befdb51c87383eab8e7ca49bb060b344f2cf08f4d9

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\i18n\es\ipc\regmon.dat

MD5 9f2a98bad74e4f53442910e45871fc60
SHA1 7bce8113bbe68f93ea477a166c6b0118dd572d11
SHA256 1c743d2e319cd63426f05a3c51dfea4c4f5b923c96f9ecce7fcf8d4d46a8c687
SHA512 a8267905058170ed42ba20fe9e0a6274b83dcda0dd8afa77cbff8801ed89b1f108cfe00a929f2e7bbae0fc079321a16304d69c16ec9552c80325db9d6d332d10

C:\Users\Admin\AppData\Local\Temp\360_install_20230915072130_240757750\temp_files\config\lang\de\SysSweeper.ui.dat

MD5 98a38dfe627050095890b8ed217aa0c5
SHA1 3da96a104940d0ef2862b38e65c64a739327e8f8
SHA256 794331c530f22c2390dd44d18e449c39bb7246868b07bdf4ff0be65732718b13
SHA512 fb417aa5de938aaf01bb9a07a3cd42c338292438f5a6b17ef1b8d800a5605c72df81d3bae582e17162f6b1c5008fd63035fa7a637e07e2697cb1b34f9197a0cd