Malware Analysis Report

2025-01-02 09:14

Sample ID 231004-1vxjesfc6t
Target file
SHA256 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
Tags
amadey fabookie xmrig discovery evasion miner persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey fabookie xmrig discovery evasion miner persistence spyware stealer trojan upx

xmrig

Detect Fabookie payload

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

Fabookie

XMRig Miner payload

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Drops startup file

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Executes dropped EXE

.NET Reactor proctector

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 21:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 21:58

Reported

2023-10-04 22:01

Platform

win7-20230831-en

Max time kernel

142s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000a43c214c0fc9a500856de778f73eba397283e8cc18765c6ca1f04a59d0807b3f000000000e80000000020000200000000f85f4081423efe620d19b2fc2127af4a59fa307026bad55ac660deffb0f10b52000000013954b0828e983c4c1c127e9696fa02166584fbae7a9eb9cc569d87930ba0a1f40000000f776f38c3984088f00fc1d8b962f0607ef08072d8d25aa199b97b91762e2acdc3daf39fbcbc0170512f801cc979b01bf76f8a01a831303d55af1cf8f79484cb1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000f0636ef0d2f668b08bf56faa20e7ad81736789341257d81ae4daca4419ec69da000000000e8000000002000020000000483c92ee31127af812b0df0b32e0237f276c00844e0587eb38d56485d79677ad90000000b1daa4c9beaf54b37ec2f6ef967b9f6bbac9537084bbfc888cfe35bd2e5e0e7ccd2f076fd64f1f5ddb5a156128cbada147bcbebcca445ac9a1ff3f296073dea22daa51f8244f19fe17e369ef550a452d43d74070485e74b00fb14d0f75be1202d4a9da1304fdd05faa26b8eb3f3f9b62a240777524eaef86706e31646b7890f0b0b068813742a44ca1989e1e9dab67ef400000004dad5f4476fe59219019e872d2d22f2aab8a9b5c2da69821f01dff5624e04ce89b7570110bedb4f65233c985ef78633570c93d50d91fc64dc7b48c0d98ffbdf5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{389AE341-6301-11EE-A2FB-D2B3C10F014B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c8660e0ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618607" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
PID 2080 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2340 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2340 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2340 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2340 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2616 wrote to memory of 2876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2080-0-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2080-1-0x0000000000F50000-0x0000000000FAE000-memory.dmp

memory/2080-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

memory/2080-3-0x0000000000790000-0x00000000007D4000-memory.dmp

memory/2080-4-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/2340-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2340-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2340-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-10-0x0000000074840000-0x0000000074F2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBAE8.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBB3A.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b1f1bca2207e7ca8ce02158768cf7d0
SHA1 ea275ce9275967130fe6fc1e07dfc82cedb0c2eb
SHA256 eceb5dd639c115f726afbc1f07b75950124ec542b905d6bb6c5922f5c98cf3d2
SHA512 2db0f86981f407d42f8ce94415ef75b81c6a278df8f1e69cab6ef7d00d1e1515ead448f1d7b43e21c55f76f5df2f9c2e1e186c1907098acc49fba5dd335d1d1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d3dc06c601f06cc1b127440cb3daaa3
SHA1 3821353e232cf0cf36868a8807b9b950ae0b50d0
SHA256 16bba4639072bbfb1e3b7558fac5dea3b9f3b844b2fa0b5539e978f552ed537c
SHA512 9046095c9c758ba371423bb21a10cf187962d84368ab71f95579bb5a5c03bd64b911b1f6d2ea6623b70d64822b21440fad50816eb63c0542d7db19da97ff63dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3658394596a97707e8ca666cdc37150
SHA1 9df35805b3d80cdddc5c86cefe78ee183dafffb9
SHA256 c69e27e70564a7f12f9e023a5a904e64c40a4d843fd06fb2ac423eec2a6e4353
SHA512 029fe4269dcdd37684bbfef0e2dcb66debd0b12972803dc1b0104d7a2e71b00cc9daff44e4550c00b815434250aa71406ade10e9d16a1b46ee4f725b717f6679

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0686258990267280e214ef807fcf0d8
SHA1 47c2c123ef43a69791fa141a4d2a1050f703805a
SHA256 9fa46fdb9333f5901ccd57fd796de272f03ecd1ef2d790a163ae55a33a2ad45f
SHA512 03476181134d6cad1de53604b025bb348174c3a4b6339b8d8bac1ecd30326f3e4b3e849a68355767f98bc736051044b89f02936367f5cc9e7da8cb9138d1e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f67508fc1da526ec704076dbe2e82612
SHA1 7dd1217d7d6df40d78b5e0d92e59a454898c93e0
SHA256 f69034dc8e48e0973f7935389ccf6d1fe6d2bbe9cb365662f87baed7770d209a
SHA512 2e1a35453f6a3c16c922dbedf012498ce29bbf2b2c7257e86598074022683379d30fc82b986f2b05ed6f04d998e87ded2a64e91e2dc77225fdae28730852efeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bb56be15b7fbfecfe8fb5da54e3fadf
SHA1 878e299804a9a5a6e2e8835d6c712499b2d96665
SHA256 1c13e3300f48939551daa00b3f6e60f041fbb6b36dddefd6ee511b2d7ef46055
SHA512 f801f4e73f0900f65f32f30a2037c0a949f8dd5f33d604cf5a1cbd9643db700461bf466765a6acea81fdf3bf315aa3644f58ca7a549497942a7a982570639a07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ce73842ade2333ed4a8c517027a976e
SHA1 54a8fe75f431260caab0b48399e264617aee2de8
SHA256 2cb0e990388a2be8d295d044003c312b4510f544d26f38e072e61fa57c056500
SHA512 48c4f4d1562b932b40311a54785a70c0dfd49248267ab8a9f610fc4715778693a15861080db9db66cad0ef0b22f70dc6300f3d68277d87674512036ff6147402

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e76e76490360eff21cde774c69a73987
SHA1 162b6d783e8e7221798e8acc1d495df6df8f5e56
SHA256 1b9713c6580b2ddc82edb9ea438f758dd3ba62f9f41eb40760ae9a87028ca8d8
SHA512 c782af31dd0aa9c5ef00c22f82df709c5093eae9d5b5448bb2aeeac4596b139281d74179c2a8ae5642d5e9b78287fa18006f127a3d09fa559e85027d510dfbb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9c390b04ec933422fc05273bb5a2c98
SHA1 1e60a761b9c062efd267385fe64888e8d933d50b
SHA256 3be17abf552f4a75614bce09b258db0241fb5a28268adc33b060052fb627b8bf
SHA512 ed16ae64c29db84e8846fbcdc73accc6238bb546daf1822b20b85e42f8e32a315fbecd985980cc985410205adf05d3164916c9137d7329483476ac17362446f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43369c6dbaefb2a09f6c0e025d8e04f9
SHA1 8e3ec8f8d5e570db8a2d47fb4c2c9cf1999f6add
SHA256 4f66b012d6c3c2ee911eed3d4720b643be942eb53c3582447ebcd585fe893dd8
SHA512 68cf6c300d644deed1ea87608aa791089af8dd1ec08924428878c0d5fbb8ad9b5cbe68bba217b1c9ef31fb861c3451b648161dee6ac402c4d09e5b0130d5a1d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b78f50d7a96a30b940713846b98189e
SHA1 a6829b97dad487df1d76033ae5b799593259eeed
SHA256 6aac2302c9857f101a53c24fce68f1aed84c4367fdf4f739317add4779e9dcaa
SHA512 cf51011b1d7f80ac1d1d44bab15537e0de36958e91910779c7f64c0ab1d31d7c6068a6f7091f4afce66514b8ad88c4f89b48812a1676e1566aff994ffaefa843

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6f7a23a341ad9d70bad7b8e60fd776b
SHA1 1171501aff2634900bcd66c49727eb0e9f1e3437
SHA256 d55804ca5f2bbc2013a91c3a091008dab2eddb16a23cde67f414895c988b2788
SHA512 2c99a998d28480225297f9767d5d38a6bac592449fcdb45ed3af47517c6f17b5c51c487e5835e5d9d4d30317f14b774967f9470f3491d709b0a87fe1127c14f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cecdea177b04ef802af3622c0923ac4
SHA1 cf58d65d7cdabb89c1146361727ad9c78a453039
SHA256 18ff201317fd03e8c7e290a1a5004eaefdc47cb8aac3e127a288f8b8f34f7a2c
SHA512 5d1ee1648794b7d495cb902e99b8a1a0a89687b4e7122239685621c74d18b32a4305ba55114221b6fee1ee7847662e086c3f64575bf01a7f1110d1eed9ef2cb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ca6c514b1b7433ab14fcd02f1ff3e3f
SHA1 28d48a159461b782a4cc681a47c23692ec7c2851
SHA256 94adaa3baded04f64490178e83a205d9ee31f1056e70d104459e4bdc7ca83c19
SHA512 f8b085a70eedf6ce01f2db9bd3eeef3769aeab09c536553a3e8ed92f11cdb3b73baeea1ee122d13850a3d363328f438064a43dec6da928025fb93b7419d06499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eba0cb93c1fd19c4e053e5748fadce0d
SHA1 b36870aa834902e6c85f56eb2db6d69a1553ef8c
SHA256 90bf0e88418fbb73bdf7f330bdcc62a6a577dfbd9c7851948046908565b53e57
SHA512 edd270e111fe665dfea278e62cc8178d87d9b6d54d17baf4b12364505acb133900be326197e8a8a20763eadc145482c134792adf3c76fcc637edd7eac17d40a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b49571e8de7b0ac408ca0378365e34df
SHA1 429f5052409661f00a6d4ddefe076e7a470d7110
SHA256 2bc2aaae8afe9e3923991fe9a451de76eac99b682e053aa286fddb692eef5cb2
SHA512 c6f3875ee81abb5a352f986e0b45468eb049bbd0deb50e707fb98a9950da26df6b670f579ee3f369c207f2c6a91cbb389f191960b30ee219b3856ff660b48f7a

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 21:58

Reported

2023-10-04 22:01

Platform

win10v2004-20230915-en

Max time kernel

108s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vsj2EEd5ye2sAJIMZdePYlHC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h5Xcb7aOw6wtBlVtjsA9zFGy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TwNzF4mcyjYdevTB89kk8Yiv.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nhaii6aOnDJkwyoQH3qA2uPO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aI3b7hl4OcvHhhhkL2mlZMez.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D8XF5OXf02VHhIrOzKIlaLh0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54nLhQGRkirx7mJ90aVCaDw3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f0SVGFOcfoR9kUWa2NZDiOQt.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CLLIrpBdPis6kicIHuKpmP4.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MvcRQrXdkG8ADONJ8XwrwQNc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psto7RP5h9izQli0qidPIN36.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUV9SZcrpdJshwTeFZJQx7gc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RWvxQ7U2agowU6iSQa3EXkrR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe N/A
N/A N/A C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe N/A
N/A N/A C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe N/A
N/A N/A C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe N/A
N/A N/A C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe N/A
N/A N/A C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe N/A
N/A N/A C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe N/A
N/A N/A C:\Users\Admin\Pictures\wn7d3qZ3SLOOkb5Nlb5To5sV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GBKG4.tmp\jjrw4kkczwuEtlEs1ONjeWy4.tmp N/A
N/A N/A C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
N/A N/A C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
N/A N/A C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SIFI2.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft\\ZHaegecenozha.exe\"" C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 688 set thread context of 5424 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 688 set thread context of 5404 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-1M207.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-AOBG8.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-73D5K.tmp C:\Windows\System32\powercfg.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\Microsoft\ZHaegecenozha.exe.config C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
File created C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-4PIDR.tmp C:\Windows\System32\powercfg.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Windows\System32\powercfg.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-B5OAR.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
File created C:\Program Files (x86)\Microsoft\ZHaegecenozha.exe C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
File created C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2960 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2960 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 1324 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe
PID 1324 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe
PID 1324 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe
PID 3644 wrote to memory of 2896 N/A C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3644 wrote to memory of 2896 N/A C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3644 wrote to memory of 2896 N/A C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2896 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4464 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4464 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 4464 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1324 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe
PID 1324 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe
PID 1324 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe
PID 1324 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe
PID 1324 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe
PID 1324 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe
PID 1324 wrote to memory of 3436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe
PID 1324 wrote to memory of 3436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe
PID 1324 wrote to memory of 3436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe
PID 1324 wrote to memory of 4404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe
PID 1324 wrote to memory of 4404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe
PID 1324 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe
PID 1324 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe
PID 1324 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe
PID 1324 wrote to memory of 5040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe
PID 1324 wrote to memory of 5040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe
PID 1324 wrote to memory of 5040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe
PID 1324 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe
PID 1324 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe
PID 1324 wrote to memory of 976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe
PID 1324 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe
PID 1324 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe
PID 1324 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"

C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe

"C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe

"C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe"

C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe

"C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe

"C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe"

C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe

"C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe"

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

"C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe" --silent --allusers=0

C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe

"C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe"

C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe

"C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe

"C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe"

C:\Users\Admin\Pictures\wn7d3qZ3SLOOkb5Nlb5To5sV.exe

"C:\Users\Admin\Pictures\wn7d3qZ3SLOOkb5Nlb5To5sV.exe"

C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp" /SL5="$7014E,5025136,832512,C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2a4,0x2ec,0x6f378538,0x6f378548,0x6f378554

C:\Users\Admin\AppData\Local\Temp\is-GBKG4.tmp\jjrw4kkczwuEtlEs1ONjeWy4.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GBKG4.tmp\jjrw4kkczwuEtlEs1ONjeWy4.tmp" /SL5="$8011A,491750,408064,C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe"

C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe

"C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe"

C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe" /S /UID=lylal220

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\n6PYfXwfSQ8qTFUkFWv0EGMH.exe" --version

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

"C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=976 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231004215914" --session-guid=6090fb70-6053-41f4-8949-a15325aab259 --server-tracking-blob=ODY4MjI1M2M2M2JlNDFjZWEyY2Q0YTBlMWEwYzZkMGUyZDZlZTk4MzUyYjZkMWJmYzg3YjgwYzlkYTcyOWY0ZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ1Njc0MC4wODg5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJmMzY4ZDBhMi02ZDIwLTRmN2YtYTNkNS0xOTk1OTFkMWZjZGYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5405000000000000

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6dfd8538,0x6dfd8548,0x6dfd8554

C:\Users\Admin\AppData\Local\Temp\is-SIFI2.tmp\_isetup\_setup64.tmp

helper 105 0x444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe

"C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe

"C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Users\Admin\AppData\Local\Temp\is-BH036.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BH036.tmp\lightcleaner.tmp" /SL5="$10280,833775,56832,C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe" /VERYSILENT

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xd2e8a0,0xd2e8b0,0xd2e8bc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0628711514.exe"

C:\Users\Admin\AppData\Local\Temp\0628711514.exe

"C:\Users\Admin\AppData\Local\Temp\0628711514.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5040 -ip 5040

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "h0m1e4hhuHZYwG2H0tgQXPnp.exe" /f & erase "C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1936

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "h0m1e4hhuHZYwG2H0tgQXPnp.exe" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\0628711514.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 172.67.216.81:443 flyawayaero.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
RU 45.8.228.16:80 goboh2b.top tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 justsafepay.com udp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.117:443 download.opera.com tcp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 92.123.26.136:443 download3.operacdn.com tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 117.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 136.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
DE 3.5.139.118:443 wewewe.s3.eu-central-1.amazonaws.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 118.139.5.3.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.1:443 m7val1dat0r.info tcp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
CA 159.203.48.195:7001 tcp
US 8.8.8.8:53 www.google.co.jp udp
DE 172.217.23.195:443 www.google.co.jp tcp
US 8.8.8.8:53 195.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.48.203.159.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp

Files

memory/2960-0-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/2960-1-0x0000000000760000-0x00000000007BE000-memory.dmp

memory/2960-2-0x0000000005220000-0x00000000052BC000-memory.dmp

memory/2960-3-0x0000000005A00000-0x0000000005FA4000-memory.dmp

memory/2960-4-0x0000000005550000-0x00000000055E2000-memory.dmp

memory/2960-5-0x0000000005380000-0x0000000005390000-memory.dmp

memory/2960-6-0x0000000005120000-0x000000000512A000-memory.dmp

memory/2960-7-0x0000000005390000-0x00000000053D4000-memory.dmp

memory/2960-8-0x00000000053F0000-0x000000000540A000-memory.dmp

memory/1324-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1324-11-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/2960-12-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/1324-13-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\REiJg4g90SHYNXRtxHVZpxdc.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\KF0mn4omqRqY1mTXamsFRPWk.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\xleopjZ2IuBcZenp4FGp5vHO.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\J9wHfAnPAqzRfavBkxhKbOKR.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/3784-116-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/3784-118-0x0000000000D00000-0x000000000101C000-memory.dmp

memory/3436-114-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\jjrw4kkczwuEtlEs1ONjeWy4.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\33io0zHUlrGMBvcPiKcPdomh.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

memory/4404-168-0x00007FF6A7960000-0x00007FF6A7A4C000-memory.dmp

C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\AppData\Local\Temp\is-GBKG4.tmp\jjrw4kkczwuEtlEs1ONjeWy4.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004215904550976.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3784-188-0x0000000005A50000-0x0000000005AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1324-201-0x00000000747A0000-0x0000000074F50000-memory.dmp

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159061284952.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3784-205-0x0000000005880000-0x0000000005890000-memory.dmp

memory/1112-203-0x0000000002120000-0x0000000002121000-memory.dmp

memory/4952-208-0x0000000000B10000-0x000000000105D000-memory.dmp

memory/976-185-0x0000000000B10000-0x000000000105D000-memory.dmp

C:\Users\Admin\Pictures\wn7d3qZ3SLOOkb5Nlb5To5sV.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\Pictures\wn7d3qZ3SLOOkb5Nlb5To5sV.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\AppData\Local\Temp\192544923979

MD5 b8ed9da4dc1862494a003d500c2118a3
SHA1 61b5fd7b9268b45f2d6a1de46251498c40dbc5d8
SHA256 d5d4fddafa673f389574067e28fd7f9d879b7a3659946821d10c5ba860f80b00
SHA512 2dcf5b4254599e6314573691d8c0618811ff26f522942f523c8e9e1a84d5e2496689443cb93abcd24283ed5b1a1035506eac66516b819e8e700555dcc2921181

C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3784-175-0x0000000005B80000-0x0000000005D42000-memory.dmp

C:\Users\Admin\Pictures\D8co4u7xIbm7KyoCluK1aiHk.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

memory/5044-160-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\h0m1e4hhuHZYwG2H0tgQXPnp.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\kM4cl8aWx2Npc8y8EQaViE3o.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\e5pVCMx04l3rv6RTv1bsOPvm.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\8GkqnLaOJCrF7ZVhyXYf7lAp.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 aa8f6f46ea7f87715393c181ef0eaa8b
SHA1 fff7b42711ee57f8d755c5a0ed207bf88cbf242e
SHA256 4e0c1691395a16f5dd3875fdc3df84fa6c0dad2a8c85e9539cbfc8065a704472
SHA512 83495bad37681cef9d9dceff45a43d35122d4c201a4b490d3acdfe617a1e182c50768871b21086545e7bd867ef18dd8c9d768931cb3b0c27f6c6def78d2f7cd3

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

memory/1324-242-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

memory/1900-245-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1184-243-0x000002B556380000-0x000002B556404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-VA3K5.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004215912597408.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004215912597408.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1184-250-0x000002B557F60000-0x000002B557FC2000-memory.dmp

memory/408-253-0x00000000001A0000-0x00000000006ED000-memory.dmp

memory/3436-256-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4404-255-0x0000000002C40000-0x0000000002D71000-memory.dmp

memory/4404-257-0x0000000002AC0000-0x0000000002C31000-memory.dmp

memory/1184-258-0x000002B570880000-0x000002B5708DE000-memory.dmp

memory/1184-254-0x00007FFA51BD0000-0x00007FFA52691000-memory.dmp

memory/1468-260-0x00007FF6E2660000-0x00007FF6E2BA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159144573232.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/5044-263-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1112-267-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1184-268-0x000002B570970000-0x000002B570980000-memory.dmp

memory/3232-269-0x0000000000B10000-0x000000000105D000-memory.dmp

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004215915050552.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3784-276-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/552-277-0x0000000000B10000-0x000000000105D000-memory.dmp

C:\Users\Admin\Pictures\n6PYfXwfSQ8qTFUkFWv0EGMH.exe

MD5 dc0d675abcbfe8a17fe99f90bb5ad844
SHA1 6aeaa617f1b6f5b41c73202b3ddf74aa4377478c
SHA256 6f5b7af8aab42d97517b8657c1486d0d0d61d2f98b5d9c2b63a839937f557110
SHA512 254a18071c6d8f76e2cc3859a7add2801a3bc4c383d1a159b2349de69b7f44e879258feb8002871d713e399b282aee50517bdbf2c2cecc9e05e39303f0a98959

C:\Users\Admin\AppData\Local\Temp\is-SIFI2.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 0eb22b772ced0f5fdd061c9af560ca45
SHA1 3e542621309b2069061feafc3b14c540467472c2
SHA256 aa67647bb02ba233b49b5fa4f9211b511fdcb4b5b3e6a38c0f551b96e2ff9335
SHA512 d4139acdd375f63322ecef620f958c15b85babc2fea93d42479d1e7cc83d9abf719b55e926e07e0426657e604d0b70c53c60fff51c0babc2d99163e0256d9c86

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 0eb22b772ced0f5fdd061c9af560ca45
SHA1 3e542621309b2069061feafc3b14c540467472c2
SHA256 aa67647bb02ba233b49b5fa4f9211b511fdcb4b5b3e6a38c0f551b96e2ff9335
SHA512 d4139acdd375f63322ecef620f958c15b85babc2fea93d42479d1e7cc83d9abf719b55e926e07e0426657e604d0b70c53c60fff51c0babc2d99163e0256d9c86

memory/1900-294-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3784-301-0x0000000006DC0000-0x00000000072EC000-memory.dmp

C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\is-IHRR6.tmp\kM4cl8aWx2Npc8y8EQaViE3o.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4880-330-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1468-333-0x00007FF6E2660000-0x00007FF6E2BA3000-memory.dmp

C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Common Files\RJRRCZTOVS\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\97-ed171-a30-58591-9dd7e9162114b\Fomaegaelavae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/1900-354-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4764-362-0x000001DB73190000-0x000001DB731B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hq2bn23p.sdg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\is-BH036.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/1184-368-0x00007FFA51BD0000-0x00007FFA52691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-USC8E.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1112-381-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3436-385-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1508-388-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/3784-389-0x0000000005880000-0x0000000005890000-memory.dmp

memory/1508-391-0x000000006C5B0000-0x000000006CB61000-memory.dmp

memory/4880-390-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BH036.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/4764-392-0x00007FFA51BD0000-0x00007FFA52691000-memory.dmp

memory/4764-405-0x000001DB73600000-0x000001DB73610000-memory.dmp

memory/4764-409-0x000001DB73600000-0x000001DB73610000-memory.dmp

memory/3784-413-0x0000000005880000-0x0000000005890000-memory.dmp

memory/5228-414-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/5228-417-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3784-420-0x0000000005880000-0x0000000005890000-memory.dmp

memory/4764-422-0x000001DB73600000-0x000001DB73610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/4880-440-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1900-447-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1900-450-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4764-456-0x000001DB73600000-0x000001DB73610000-memory.dmp

memory/4404-457-0x0000000002C40000-0x0000000002D71000-memory.dmp

memory/5044-458-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\additional_file0.tmp

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

memory/4764-477-0x00007FFA51BD0000-0x00007FFA52691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 1e80f2aa37597ed534b940c40b16d772
SHA1 96850069bb87b6fa19d5e5a86278d8d7db1ca328
SHA256 c773f429a9399f94131adba7b81f00a81859111eb0ee18a6dcdd5c4b6be5a494
SHA512 5d6862f6215e6e266d0df570eba8068d7bc902c3fbec2be674905a84b67c7d49c88efacb16737b3d42d90b6a59890a155e929306b9cbe09cae1e88abff4eb083

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 0eb22b772ced0f5fdd061c9af560ca45
SHA1 3e542621309b2069061feafc3b14c540467472c2
SHA256 aa67647bb02ba233b49b5fa4f9211b511fdcb4b5b3e6a38c0f551b96e2ff9335
SHA512 d4139acdd375f63322ecef620f958c15b85babc2fea93d42479d1e7cc83d9abf719b55e926e07e0426657e604d0b70c53c60fff51c0babc2d99163e0256d9c86

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159141\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

memory/1468-511-0x00007FF6E2660000-0x00007FF6E2BA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/1468-521-0x00007FF6E2660000-0x00007FF6E2BA3000-memory.dmp

memory/3784-522-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3784-523-0x0000000005880000-0x0000000005890000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/688-540-0x00007FF7FA1C0000-0x00007FF7FA703000-memory.dmp

memory/4464-550-0x00007FFA51BD0000-0x00007FFA52691000-memory.dmp

memory/4464-551-0x0000022F78B90000-0x0000022F78BA0000-memory.dmp

memory/4464-561-0x0000022F78B40000-0x0000022F78B5C000-memory.dmp

memory/4464-562-0x0000022F79810000-0x0000022F798C5000-memory.dmp

memory/4464-565-0x00007FF4B17F0000-0x00007FF4B1800000-memory.dmp

memory/4464-566-0x0000022F78B60000-0x0000022F78B6A000-memory.dmp

memory/4464-567-0x0000022F79A10000-0x0000022F79A2C000-memory.dmp

memory/4464-568-0x0000022F78B70000-0x0000022F78B7A000-memory.dmp

memory/4464-569-0x0000022F79A50000-0x0000022F79A6A000-memory.dmp

memory/4464-570-0x0000022F78B80000-0x0000022F78B88000-memory.dmp

memory/4464-572-0x0000022F79A30000-0x0000022F79A36000-memory.dmp

memory/688-579-0x00007FF7FA1C0000-0x00007FF7FA703000-memory.dmp

memory/5404-584-0x0000000000F30000-0x0000000000F50000-memory.dmp

memory/688-585-0x00007FF7FA1C0000-0x00007FF7FA703000-memory.dmp

memory/5424-590-0x00007FF641B40000-0x00007FF641B53000-memory.dmp

memory/5404-591-0x00007FF7178D0000-0x00007FF718110000-memory.dmp