Malware Analysis Report

2025-01-02 09:18

Sample ID 231004-1wbcksfc6y
Target file
SHA256 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
Tags
amadey fabookie xmrig discovery evasion miner persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey fabookie xmrig discovery evasion miner persistence spyware stealer trojan upx

Detect Fabookie payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Fabookie

xmrig

XMRig Miner payload

Downloads MZ/PE file

Stops running service(s)

Drops file in Drivers directory

Reads user/profile data of web browsers

.NET Reactor proctector

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 21:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 21:59

Reported

2023-10-04 22:02

Platform

win10v2004-20230915-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qOWhjZizlglJjduVRa2SLAlt.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C15TzV5zRquG8x74QAtXcJc5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eEwfVj8TJew9WCoi3wRRbvUV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LTCqEN1tta6kt6H1ZmrMs74l.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RpZdvzy1Wdgo8Bg3vdCl7cPT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ho3HAsQx0ikjWLzufmdxMqRZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WdS6bGGwlzZ6mn78cG2Ap9lj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GWQ0uTSR2Ski2m0ai4a9B6pk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orpUCKF7S9sD7sVMbQ4rFNoE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hm8wxQsLH4OcEGXtFfqFoAP6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RrRIGwbgu9uh1I43bSYBO1tj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZ38SLrW2tg2pam3zMqW9ftF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zlLxYhboRgNAhhHBU0rKqifT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe N/A
N/A N/A C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe N/A
N/A N/A C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe N/A
N/A N/A C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe N/A
N/A N/A C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe N/A
N/A N/A C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe N/A
N/A N/A C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3U6KN.tmp\X8DYN3qcydMxCLsBGTCqd1ND.tmp N/A
N/A N/A C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2BGQD.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Mujugeshebu.exe\"" C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1516 set thread context of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 6132 set thread context of 5404 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 6132 set thread context of 2180 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-15H57.tmp C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-1HOUI.tmp C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\Reference Assemblies\Mujugeshebu.exe.config C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Mujugeshebu.exe C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-PGRE3.tmp C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-PJ3Q7.tmp C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-D5KE0.tmp C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A
File created C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 1516 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4492 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe
PID 4492 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe
PID 4492 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe
PID 4492 wrote to memory of 260 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe
PID 4492 wrote to memory of 260 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe
PID 4492 wrote to memory of 260 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe
PID 260 wrote to memory of 3408 N/A C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 260 wrote to memory of 3408 N/A C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 260 wrote to memory of 3408 N/A C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3408 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\is-2BGQD.tmp\_isetup\_setup64.tmp
PID 4520 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\is-2BGQD.tmp\_isetup\_setup64.tmp
PID 4520 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\is-2BGQD.tmp\_isetup\_setup64.tmp
PID 4520 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4520 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4492 wrote to memory of 388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe
PID 4492 wrote to memory of 388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe
PID 4492 wrote to memory of 388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe
PID 4492 wrote to memory of 4408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe
PID 4492 wrote to memory of 4408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe
PID 4492 wrote to memory of 4408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe
PID 4492 wrote to memory of 2332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe
PID 4492 wrote to memory of 2332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe
PID 4492 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe
PID 4492 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe
PID 4492 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe
PID 4492 wrote to memory of 4872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe
PID 4492 wrote to memory of 4872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe
PID 4492 wrote to memory of 4872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe
PID 4492 wrote to memory of 3196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe
PID 4492 wrote to memory of 3196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe
PID 4492 wrote to memory of 3196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe
PID 4492 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe
PID 4492 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe
PID 4492 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe
PID 4492 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe
PID 4492 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe
PID 4408 wrote to memory of 1480 N/A C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe C:\Users\Admin\AppData\Local\Temp\is-3U6KN.tmp\X8DYN3qcydMxCLsBGTCqd1ND.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe

"C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe"

C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe

"C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe"

C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe

"C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe"

C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe

"C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe"

C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe

"C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe"

C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe

"C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe

"C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe"

C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe

"C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe"

C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe

"C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe"

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

"C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\is-3U6KN.tmp\X8DYN3qcydMxCLsBGTCqd1ND.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3U6KN.tmp\X8DYN3qcydMxCLsBGTCqd1ND.tmp" /SL5="$501D6,491750,408064,C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe"

C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe

"C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x294,0x2ec,0x6f028538,0x6f028548,0x6f028554

C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp" /SL5="$501D8,5025136,832512,C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YwnxJEHLHb7lhTWr6W9CpjsJ.exe" --version

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

"C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1516 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231004215957" --session-guid=46efb799-9bf9-4619-ac1b-796de1aa0d1e --server-tracking-blob=NGE2MjQxYzRjZDUxMDVkNjNlMDRkNTdkNzMzMjZmYWUxODY1MDNlN2VlMzI5NDUxNjIwOTk2NmZmNmE4NGVkNzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ1Njc4MS45NjY3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIxZDI5MDcwOS04OWE0LTQyYTUtODkyOS05MmRiOTQ4NjY4MGUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A405000000000000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6dc58538,0x6dc58548,0x6dc58554

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe" /S /UID=lylal220

C:\Users\Admin\AppData\Local\Temp\is-2BGQD.tmp\_isetup\_setup64.tmp

helper 105 0x43C

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe

"C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe

"C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp" /SL5="$F0028,833775,56832,C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\System32\sc.exe

sc stop bits

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe" --version

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x53e8a0,0x53e8b0,0x53e8bc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8396806628.exe"

C:\Users\Admin\AppData\Local\Temp\8396806628.exe

"C:\Users\Admin\AppData\Local\Temp\8396806628.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "9houtFKfLTgTwNkRHXlESVQI.exe" /f & erase "C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1484

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "9houtFKfLTgTwNkRHXlESVQI.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 684

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\8396806628.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 link.storjshare.io udp
US 172.67.216.81:443 flyawayaero.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
US 172.67.180.173:443 potatogoose.com tcp
US 188.114.96.0:443 justsafepay.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 136.0.77.2:80 link.storjshare.io tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.118:443 features.opera-api2.com tcp
NL 185.26.182.122:443 download.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 118.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.171.110:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 110.171.219.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp

Files

memory/1516-1-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/1516-0-0x0000000000E70000-0x0000000000ECE000-memory.dmp

memory/1516-2-0x0000000005960000-0x00000000059FC000-memory.dmp

memory/1516-3-0x0000000006110000-0x00000000066B4000-memory.dmp

memory/1516-4-0x0000000005C60000-0x0000000005CF2000-memory.dmp

memory/1516-5-0x0000000005830000-0x0000000005840000-memory.dmp

memory/1516-6-0x0000000005840000-0x000000000584A000-memory.dmp

memory/1516-7-0x0000000005B00000-0x0000000005B44000-memory.dmp

memory/1516-8-0x0000000005F10000-0x0000000005F2A000-memory.dmp

memory/4492-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4492-11-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4492-12-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/1516-13-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\spqLjtcdy6Q0o3xmiaGTwEf1.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

memory/4408-128-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\iv0CMREJRKUqnSSkzeBLYslC.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\RGsMYALGJeww8LSEL3uOkF8y.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\nd4dO5Cm2viGaldzJUK4AxMO.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\GWP4KofhfIYuzA4EiSjezH0T.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\9houtFKfLTgTwNkRHXlESVQI.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\I5G2LqTvpx265wLNO9WhB1Dy.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\nhsYwCqSeCkj8YNMneXPCx6M.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

memory/3724-133-0x0000000000F20000-0x000000000123C000-memory.dmp

memory/3724-130-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\X8DYN3qcydMxCLsBGTCqd1ND.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/4408-139-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\erc7tI7zJy02OYEDTl7MVr03.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\2obzXmTyaFF8LAsRWVhhD5Wb.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

memory/4964-163-0x00007FF6154F0000-0x00007FF6155DC000-memory.dmp

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

C:\Users\Admin\AppData\Local\Temp\is-3U6KN.tmp\X8DYN3qcydMxCLsBGTCqd1ND.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/1516-178-0x0000000000A60000-0x0000000000FAD000-memory.dmp

memory/3724-176-0x0000000005D50000-0x0000000005F12000-memory.dmp

C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3724-185-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159480331516.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3724-187-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

memory/4616-188-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\hCZ4u3Nsyu6vhTw3Y7MoiugZ.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4492-191-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4616-192-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

memory/4492-197-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3044-198-0x0000000000A60000-0x0000000000FAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159509083044.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\890696111233

MD5 3b02160742ab93cddc29ccc12b020a0b
SHA1 8533ca2763da974a2997f088202145933ce9415d
SHA256 52ddf2f9f5a1dc4ffc180c40c96990d7315fae8b0f4448732df6b6e54f70ad22
SHA512 4569ea85544df7b7e0ed95431d92ceeaa225c552d7494a37bd5c17c38e7627bfad7bf22bcde4bdb38b4dd7a6916fb6b6354c1350ecaaed17fbf6b7bb9b248a80

memory/2332-215-0x00007FF6B8690000-0x00007FF6B8BD3000-memory.dmp

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4408-219-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3724-227-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

memory/1480-229-0x0000000002160000-0x0000000002161000-memory.dmp

memory/4668-231-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1892-232-0x0000000000460000-0x00000000009AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159558301892.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159558301892.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1892-237-0x0000000000460000-0x00000000009AD000-memory.dmp

memory/4408-238-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/3724-242-0x0000000007070000-0x000000000759C000-memory.dmp

memory/1516-245-0x0000000000A60000-0x0000000000FAD000-memory.dmp

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

memory/1480-247-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4616-249-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159582671720.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1720-251-0x0000000000A60000-0x0000000000FAD000-memory.dmp

C:\Users\Admin\Pictures\YwnxJEHLHb7lhTWr6W9CpjsJ.exe

MD5 6d56842bf0d10002a6827764a630ed06
SHA1 e1da0b45cfb508752677bc71f05256fc28219926
SHA256 913a0abefaa3e9dd6cc9e7bc4d801f9fc6772ff58633150f3f5c7b37d1bc1f99
SHA512 ba67bfeaef7a4b0592c0be7470bbfbf4f49d69e7f2da65a897fb45bdb9159cc2b42d7374be433d7a518a01438e4081a30a8f09bad6cf093eb8059cecf03634e5

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042159592362264.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2264-256-0x0000000000A60000-0x0000000000FAD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 a37576fc5fa0dcc85083ff0b103dd750
SHA1 616abf5d5f7a3710585a29cb93e8ce7b77a41fe5
SHA256 7df4de96e7cd591de2be31f60545d76cdc7777a59e527ae0fe668ae641dc993e
SHA512 9c2b4cf1c1a77b8b4a172f6462471ca91461af914afd3b4e185760fe28202815ee18d9085785adcfd6e3b778d0a88857dc3362a426a4a3685be0aa467ac7b04a

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 a37576fc5fa0dcc85083ff0b103dd750
SHA1 616abf5d5f7a3710585a29cb93e8ce7b77a41fe5
SHA256 7df4de96e7cd591de2be31f60545d76cdc7777a59e527ae0fe668ae641dc993e
SHA512 9c2b4cf1c1a77b8b4a172f6462471ca91461af914afd3b4e185760fe28202815ee18d9085785adcfd6e3b778d0a88857dc3362a426a4a3685be0aa467ac7b04a

memory/3724-274-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

memory/496-275-0x00007FFBE9990000-0x00007FFBEA451000-memory.dmp

memory/4964-281-0x00000000036A0000-0x00000000037D1000-memory.dmp

memory/496-285-0x000001EAADD50000-0x000001EAADD60000-memory.dmp

memory/3724-291-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijbf15ip.5xy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/496-296-0x000001EAC6D30000-0x000001EAC6D52000-memory.dmp

memory/4964-298-0x0000000003520000-0x0000000003691000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 abc13f9f2a9e05b8ed2f4d60a77f3201
SHA1 c01b555faad9f5b081cdef3d45ff967fb548486a
SHA256 79e9db2332fc8db14bd806c58bb05cc860204f150ab6ab54cf2c5945b76ac875
SHA512 6b27fe2925e0be129f75b3e07a9fc1ec08e9594f184e8a7f865b520f882b7dc5fd7592d13d928fc862bbd3451d3251a8e5f73cf65a6ab4604a2de00a05d476d0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/2332-307-0x00007FF6B8690000-0x00007FF6B8BD3000-memory.dmp

memory/4668-309-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/3728-315-0x000001D701910000-0x000001D701994000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HBN9M.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1480-317-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3728-319-0x000001D701D30000-0x000001D701D92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2BGQD.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/3728-323-0x000001D703700000-0x000001D70375E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2K3L5.tmp\hCZ4u3Nsyu6vhTw3Y7MoiugZ.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4668-343-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3724-344-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

memory/3728-345-0x00007FFBE9990000-0x00007FFBEA451000-memory.dmp

memory/3728-346-0x000001D7037D0000-0x000001D7037E0000-memory.dmp

memory/4668-347-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/496-352-0x00007FFBE9990000-0x00007FFBEA451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/5932-404-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\c0-b1806-82a-e5cbf-4c82c1d54a59b\Cydexeqecae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/4668-393-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\Java\LCMSBKTLPK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/4616-411-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5932-410-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3728-414-0x00007FFBE9990000-0x00007FFBEA451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/5944-416-0x00000000012D0000-0x00000000012E0000-memory.dmp

memory/5944-425-0x000000006C220000-0x000000006C7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BBABB.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1480-430-0x0000000000400000-0x0000000000513000-memory.dmp

memory/6076-433-0x0000000002110000-0x0000000002111000-memory.dmp

memory/4408-441-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2332-446-0x00007FF6B8690000-0x00007FF6B8BD3000-memory.dmp

memory/3724-448-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

memory/4964-447-0x00000000036A0000-0x00000000037D1000-memory.dmp

memory/5944-457-0x000000006C220000-0x000000006C7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 8b72082bb0f4c35437e62f02b8592fd6
SHA1 8c4f5663b7b5a406a8877f150b6f2e69a763b1d5
SHA256 e993f2c46f5d7eab9ebbfbc72d07f75689dd30e9ae909b38f22172777b269dbc
SHA512 10b910a606e58d187e3b986be894c6cd24b2165eca470de6b403054721f5370e56b5f8868b0258d91acebd823dbb8109006b116431418af9fa770331136a7fc6

C:\Users\Admin\AppData\Local\Temp\is-PTFEM.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/6076-493-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5932-499-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042159571\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

memory/2332-517-0x00007FF6B8690000-0x00007FF6B8BD3000-memory.dmp

memory/3724-518-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/6132-535-0x00007FF676E60000-0x00007FF6773A3000-memory.dmp

memory/2652-541-0x00007FFBE99C0000-0x00007FFBEA481000-memory.dmp

memory/2652-546-0x000001B14E850000-0x000001B14E860000-memory.dmp

memory/2652-547-0x000001B14E850000-0x000001B14E860000-memory.dmp

memory/2652-558-0x000001B14EBE0000-0x000001B14EBFC000-memory.dmp

memory/2652-559-0x000001B14EC00000-0x000001B14ECB5000-memory.dmp

memory/2652-561-0x000001B14ECC0000-0x000001B14ECCA000-memory.dmp

memory/2652-562-0x00007FF468F50000-0x00007FF468F60000-memory.dmp

memory/2652-563-0x000001B14F070000-0x000001B14F08C000-memory.dmp

memory/6132-578-0x00007FF676E60000-0x00007FF6773A3000-memory.dmp

memory/2180-580-0x0000000000F10000-0x0000000000F30000-memory.dmp

memory/6132-581-0x00007FF676E60000-0x00007FF6773A3000-memory.dmp

memory/5404-586-0x00007FF781D90000-0x00007FF781DA3000-memory.dmp

memory/2180-587-0x00007FF7D1AF0000-0x00007FF7D2330000-memory.dmp

C:\ProgramData\79368447517636664473879976

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\15C84F85-BD31-4900-BC95-4F144A2A85DB\x-none.16\stream.x64.x-none.dat.cat

MD5 13e2674d1e5118dc8547264aa2b8654b
SHA1 60b0f7065882e839d6a80f1263f9f60a8efa26bd
SHA256 320ae5c50698f4553758c71c37135cf390c06f355cfb3b8cc18dae85ead16944
SHA512 b399d85720844dbcb7220b05a186cd0cf46e3307c8afbebbbdcd132be5aa9f936482ba5743764acd12df256a2b2249a0b06ef7365286c66912db02634cd18bda

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml

MD5 e52262399745fe981a7fba69c55f09dc
SHA1 795a06836db2ead992013b55d2d5a87420be43e7
SHA256 838e2cd11573dfcbb74c47621b30c5a7b62b2a063a41282a8e117b7b8fd5ebbc
SHA512 4b146141538edc8428d0bb0c8f314e3cc2f87e9888a82471f5c870a0779655944f8cfc34f5bc7bb2769d08d3ef3bac2cdf4f428d970bc1b480bce722a3b0291e

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml

MD5 e4b9cc9585f7c7605c9b9ffbb6b2f621
SHA1 c0719259211262ee6f0fea428bba4fb5f7cfae08
SHA256 e3fe8fc8edfe491475b3ca4dc91b111e8b8ed5eac2594b12e86c2ca9e1da1477
SHA512 bbfae4ff1b1c5fe0ef2999ea0c2fc82ab392eb9780c3293626c519b12c00e0450f69db0942bd44afe2984f6a5a3d0bedc276da48d8a9654c7dc037e58d6bcad0

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 21:59

Reported

2023-10-04 22:02

Platform

win7-20230831-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2380 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{522270D1-6301-11EE-9E4B-C6D3BD361474} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618651" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5073cf270ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000053ee0b4838d4bb83cb1879e91d3ef7edcc1a46f6151888db58aa648548cfdedc000000000e8000000002000020000000e1175b44a1f7ac8277acf64eca429886d806178c8109f923132d6a33d48e7f3b90000000023afdda28c43070284a892764bd4888f4fcd4e55fa6ba31903eee99c62559a3b3ac76139ff06deefb68463d0e19f5ca3f4872afbf6e98506ce8f6479715e11f75a2020789f5bd26f77516ed333e89b5c682945eda5e96db1f93a419ff239c2f42dbae07cb17f55f81a3830f88fd520a5c2de0854568c14978b5904c74d19d9654bb9758bd7ed7ba75f3b36ae94689df400000008c781566caf6aaf8b78f7c51ba96f76a4e904cb3b128daf9e5e4b6c3da3e6ec0689d22bd7b8b2c669d666dd5b86d5c7037abe6c61b6779a04f05c0db1a975917 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000db3f1f2cdd23ed0155722a703b810dc70c861a7ef28141a69ee44a8ce2d72d6b000000000e8000000002000020000000147a71c81871df2ecf103ca2a484f6fb510845c14eb04e40c5a4cff9a90ab07620000000a005ef643b5b8ce53c583393f014bb1a2925f0bf6c19f24dbe076f6e595c03da400000001d4e6d1cf09d0d2cd52560b3e5db410087b0c0891e0fd0ff90b58e450b241e6a450fc91f46e69176554e9f26ac84290f7a76799408c93a1bb2bc350d87d05eaf C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
PID 2380 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
PID 2380 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
PID 2380 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
PID 2380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2380 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 2380 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 2380 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 2380 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 2380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 2380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 2380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 2380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2380 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2928 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2380-0-0x0000000000980000-0x00000000009DE000-memory.dmp

memory/2380-1-0x00000000748B0000-0x0000000074F9E000-memory.dmp

memory/2380-2-0x0000000004850000-0x0000000004890000-memory.dmp

memory/2380-3-0x0000000004780000-0x00000000047C4000-memory.dmp

memory/2380-4-0x0000000000490000-0x00000000004AA000-memory.dmp

memory/2632-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2632-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2632-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-10-0x00000000748B0000-0x0000000074F9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7EB2.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar7F53.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fe5d3e74d5af04756f522905112bc23
SHA1 7cb1c7b0ada1be6b17d136b5b838b32d6d72a876
SHA256 82cedd92630dd865218d6be04bb05c7e3b6170992fd64c8f844eef5d8d073d7a
SHA512 e17d455899b3a0c6589dc433f5410930f0fd87340186cbcda59c180c336ce05dbec1cc832fdd77afeab19b77f617a1171cebc89e8f66f2cbd40226216dfc2ecb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19c67cd74d7508ebedda3688fd88df41
SHA1 37f8cea106f0a54cf226d0b776424bf65fed6686
SHA256 a82fe8fd6e9fdf1cff26fad7dc99116c0486d6bd229fddf6b3f9fd2b9a38acd1
SHA512 1241b0b7a4f9f425f1dae6f660e642393c6d377328d8f974f379b0fe6ff4f0b3eefd9f5dd0746ac4412878e11844ec744251350e7e2496853a93106941beeef8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b6aab6f587310ec16d5fd3ca06e8257
SHA1 eb2dcf116a04c02a4e15a8cedf36d337db294f5e
SHA256 23c452702682dcbfa136c0cabe2b734bfa23b6ece4ad09cd7e1a2e10f17760ad
SHA512 903e811c7d154fa8d9dc77a72b8f0316a8ee283e2c804a1a191c0b3a53653ebca7bcbae6e4d094d2cb39a4a746bfddbbadc6721d693d43dcd35e9082efd0f581

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e05e30f40281aa9f43b0326270a72b13
SHA1 d9817fd4522c3f017e84c10419f232e76cf25493
SHA256 bc093d539b48611dda92d9aa58d2a1c9ffbf1c74e5a9bf72eaaffd1938f74751
SHA512 326114dabfe430a56ebf1fbcb9f7a09f9635bc3b641c12110d893589c342482be83a01a48cdc24852e2e609e05f30140350884a7e6efcd03fef8190cae010a53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b2df7f937b325533f30e0c229d21554
SHA1 4b0fea87ac7740831be6b715edb11120474647f9
SHA256 55e8f7886833a2b8a6033747ab11807117f136ea335ca191ae6c052f3530e6b8
SHA512 c533a27ec54007030bde5b85c92e1dfc8ef8d25436cc38d83e6f3387e3650831c09071fe5786534fa8b65b5c6554b794ef41bd908e6cb011ef482aa95de3272b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0bc6cf6821e56bfc8cfa8b7a3179049
SHA1 0ef2105ce5bc4ccb352a5182ba90688928333875
SHA256 68b6ef8995df601d5ecd9ff4ec120d4e804f0cefec546d77d48df8abee1fac68
SHA512 0843c48ff23a978266c22c2f928da1522be9e30acb9c3462e8aad29413c1e6a1dac47228b4fccf9e22d0514e211182cf5a48c03bea47d28e0b33ac2bb82b9c34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a159d29d0919207565cec8a9d5d61fa
SHA1 77c9d28bde41e454199fec22c2e70aca80215fee
SHA256 f00d4063ec54d5d6bb3c150b3c9ebf742e31eeb0b978c4fce78cca19021fed1c
SHA512 70b1d2f075f6eeb0ad690bea26a87bdfb5c3ab113c91df65d4093a6be6664ac363155daedbf598db336220194d12c9106924dcd6a8849b85b277b709c915731d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ed15420eb5228902f8aed44eb738f34
SHA1 75cf44bf4225208a7ad07ca7c2f0be3f810b634d
SHA256 f443a2390c970bade2ab5cc00806e702ad9975d17b911c1ef37f0604bde6cdc7
SHA512 a4b1657d683a9dc14f2334346daaf3bc7719b1e2851525031c6b146d73e40b0e96f950802741ac94e8cdd9ad1dde9ac5bbdafbd912862a440008bd5c4a2894be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35e1d027549be30708771f6258417c4f
SHA1 ef753291d647c72943d72d8598cb6030777d2b3b
SHA256 0c011440d47f5ec611fa325bcf32ec7d9279a2581f8b26d6df37a4f0de7e054e
SHA512 acd1273499fbcfc002975825520f4011c99301622f17ccaa2b311b855d1624ae6f31723d8ac48cb1336a98c4bc3ee82285022ef38f760dc38f1d2e4c61e2fbe7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44eaf04de4a6a52ba10585a02d884b25
SHA1 8cc0df930c0e5cc8ab65109de4307098cee7e018
SHA256 b6b94e6fac9620ab76fda6c0bf25df4f1c98bf707469ca6b55336104f8f4a0e9
SHA512 dd789f9ebb0ae692be58d6cbfde1a782158d81a35c3ecab9111a76f3c4feb86a397eba0bf8c8b8e4ca4f30b1a834061dde1ef4183e40937e003b0f9b1d3329fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8e75101f2a32083cc4659d0c46d9f9b
SHA1 0aefa0e085011e77671a603df47b9ec90794b5a0
SHA256 aa80e2835c5bb63b0b93e5c503ed99376f69b0021678af0d92abcd6b28d49b23
SHA512 951b86c24d186e33754e993a675e1921f448e222ab2808e7dc0db15301e1d020e0792e55f6263dfdec95a23271712be402581a346f77d1375e95dfa597db5a14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3269a34b22e84c998610a002412093c
SHA1 97ba8473c108eccbdee9688e2cab0a12e68d1d61
SHA256 0a2649fc887dc77234f328e7fbc28e00bf7567b1c4898830815c1b6f884da13b
SHA512 f2c62aac6d195c76e305093e6e7bfbf3d21c4bb781d0b156c4b0fe8df47e1c0ceeedd8d812a611ee6bcca654366ca340249cbeb64816e399b506744dde06de52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7f590f4794ecc0041b56194449382fd
SHA1 d1bffc6aa04e87d8b93ecd3bae25f53a09450805
SHA256 4b62e1e9e11c6287ab936269bfc61446e050cdfaac66fd0089efd2b235359b73
SHA512 8c240508a03fc51b80098ca1d955c545e4150b7c7db4c8ec7cbc887623bc628ab84941872a70d780395d1c6a0b794605199ef2121fb76f587bb38716e1af2e84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3be807bac9210789fd08e6ba89443094
SHA1 aaaba7de1aed82ee05da0aa159a9b40da5cedfd9
SHA256 f9d0b426c308f9a008203c999216f62cfbc29ac67b2a0112629e0b6c573977e1
SHA512 aca1e8b125a7b48999ba524a41c040c142d436b63fa93d6fc95f362bb63e72b29754930fb2aea1c816127a088899dc4f0358d7615a865016ab49010498cdd038

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 649755e8de8d2f186284359ff4e460ae
SHA1 366ba2fa5bb4daa877aa7934f1278d1c9f6f3138
SHA256 56a23e697c0ddd41415e6fdc04471d56718aed4273803d441c384966174f9278
SHA512 d2c153459ad582b6dbe8d6c4061300bd5864f4525d80497bdbdab6b87cee87222ef1904e6fa7961a3e7460a82b3dd3a35f257a1c15e4051feb1b57a4f2124b69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50ee3cd7896e06479f6f6466c6e8e6ac
SHA1 35b3d5d050fe45ca6a95a8c14e0f304b34c85a7b
SHA256 993da83551f8ce6270c0469f8d2aa4c63422b3b5ac7c5c6a27ee4fa06b976fff
SHA512 8c1dd02dc5b79101e81a5756d318a6a5ee24697c6eaca750fe391c486f2ea18666a0756a42295868fec7088e3b94f92511d572a0aa020bb723178c46271436a9