Malware Analysis Report

2025-01-02 09:14

Sample ID 231004-wn2scadg2s
Target 831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe
SHA256 831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf
Tags
upx amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan xmrig discovery miner persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf

Threat Level: Known bad

The file 831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe was found to be: Known bad.

Malicious Activity Summary

upx amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan xmrig discovery miner persistence

xmrig

Detect Fabookie payload

Amadey

Danabot

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Fabookie

Glupteba payload

UAC bypass

XMRig Miner payload

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

.NET Reactor proctector

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

UPX packed file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Checks system information in the registry

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

System policy modification

Kills process with taskkill

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 18:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 18:04

Reported

2023-10-04 18:07

Platform

win7-20230831-en

Max time kernel

26s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2v4drMMSkETiwq57zGpd7XXQ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BrJkil6eYnlt68JD3EYECKum.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aVQ82suo4FMcXkqivIWjl6WO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gv3BeH4TaJXfOM0srRid0bXZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xGos7tly5oGPz3iDYIMaOw4W.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HG6xyXNcFffL3OdGGnyGLyg2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XzT4xKBd9CJb6Sz58VezZdNx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgijeVxDCXAiHtRX2DkOcEWB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S23VfXkTCIqoBxkkRWmgie7P.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2rAzVxaAMRarsdEXXbN5A5sW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H8cGdqvoe5vYON1GyRC2Ic3f.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe N/A
N/A N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2732 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe
PID 2732 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe
PID 2732 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe
PID 2732 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe
PID 2732 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe
PID 2732 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe
PID 2732 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe
PID 2732 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe
PID 2732 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe
PID 2732 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe
PID 2732 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe
PID 2732 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe
PID 2732 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe
PID 2732 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe
PID 2732 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe
PID 2732 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe
PID 2732 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe
PID 2732 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe
PID 2732 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe
PID 2732 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe
PID 2732 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe
PID 2732 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe
PID 2732 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe
PID 2732 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe
PID 836 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 836 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 836 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 836 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp
PID 828 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe

"C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe

"C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe"

C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe

"C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe"

C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe

"C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe"

C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe

"C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe"

C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe

"C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe" --silent --allusers=0

C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe

"C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe"

C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp" /SL5="$60126,491750,408064,C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe

"C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe"

C:\Users\Admin\Pictures\mHtevgdjCHo0cC62dkYxwCXo.exe

"C:\Users\Admin\Pictures\mHtevgdjCHo0cC62dkYxwCXo.exe"

C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe

"C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe"

C:\Users\Admin\Pictures\xHUn3rRmprOnIedS2oWaMrFe.exe

"C:\Users\Admin\Pictures\xHUn3rRmprOnIedS2oWaMrFe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\DVD Maker\JYUHIBMPKW\lightcleaner.exe

"C:\Program Files\DVD Maker\JYUHIBMPKW\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe

"C:\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe"

C:\Users\Admin\AppData\Local\Temp\is-8LS29.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8LS29.tmp\lightcleaner.tmp" /SL5="$601A8,833775,56832,C:\Program Files\DVD Maker\JYUHIBMPKW\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 392

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231004180536.log C:\Windows\Logs\CBS\CbsPersist_20231004180536.cab

C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe

"C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe"

C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe

"C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1793465591.exe"

C:\Users\Admin\AppData\Local\Temp\1793465591.exe

"C:\Users\Admin\AppData\Local\Temp\1793465591.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "18POJgKPKrnvNNqTN8fogNDK.exe" /f & erase "C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe" & exit

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "18POJgKPKrnvNNqTN8fogNDK.exe" /f

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {7C75582D-C3C8-439E-B3FF-4416DB6EB8FC} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\1793465591.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 link.storjshare.io udp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 172.67.216.81:443 flyawayaero.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 2.18.121.70:80 apps.identrust.com tcp
US 2.18.121.68:80 apps.identrust.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 136.0.77.2:443 link.storjshare.io tcp
DE 3.5.135.183:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 116.203.7.13:80 116.203.7.13 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 f0597e88-b0d9-4b69-a542-e1a45ff86a63.uuid.safarimexican.net udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server11.safarimexican.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.65:443 server11.safarimexican.net tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.121.68:80 crl.microsoft.com tcp

Files

memory/2064-0-0x000000013FB80000-0x000000013FF5E000-memory.dmp

memory/2600-5-0x000000001B340000-0x000000001B622000-memory.dmp

memory/2600-6-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/2600-7-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

memory/2600-8-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2600-9-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2600-10-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

memory/2600-11-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2600-14-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

memory/2064-17-0x0000000076D70000-0x0000000076F19000-memory.dmp

memory/2064-16-0x000000013FB80000-0x000000013FF5E000-memory.dmp

memory/2732-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2732-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2732-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2064-12-0x0000000076D70000-0x0000000076F19000-memory.dmp

memory/2732-20-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2732-21-0x0000000004DD0000-0x0000000004E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab57C3.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5804.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08ee9bebc8d0b840bec8d23063558975
SHA1 1adf58010858327b9078f562b6a81081722f3d1d
SHA256 2422c9b12984c2b79532a1a201e2f665dc354bbe342bc738c0aaf9d85c622ccb
SHA512 e905dd94e69de9cd5944ea779daaf37aa449cc723cac8de77b3c540d3a043979c92a90c645f55012611c373e0843e76f1fd31090b8e25431690a513c8615433b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 5ce6b875872c94ccb739969f13ac8330
SHA1 47ae17e71ad53bd180a663de7128606671a44920
SHA256 830ea16b4f2dd93d886163815efb4aa8b47ca564ca68fe26208cef49efaab801
SHA512 fff85eba5ffd00886d94c4e0a282467058f71d2c1255c6fd719816dbfd23b5d8f26baf18646de659b00278acac76ce15c1e35a152af77d37437d58510c4fc157

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 674354a3aaa74e3fbb7b08b46db1bc51
SHA1 91688737011b08cc04c8a899ec4ae3fb8d1bd282
SHA256 2f97bfb53df9cb2593549888985b044e4235dcae66fe70a2e3559253c25853ac
SHA512 0136d41cd44892b75c4598955a881f8eb44d21764b666dbce06865f8d95636e6f03eec634fa667b9a8db470b19555625a0ada8e050d3a8fc1ae107e5aa413938

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15775572ec012ee57f8e3b5ceb940b7a
SHA1 71fba8a4fa9dcb795275ab2084295003adbb3f58
SHA256 220e63a25e0bbe5b1b31244d1b091fb22a06e771fb1747b0c30b363f65379455
SHA512 642ed9bac1edd0af2296855ea7107b49ef31b7bfced32947a6e7d40d92744c006752bd1c978be53b7c54c7f8f3fe3a0f49f370fddd5e670640ab0f6c4bcb1fa1

\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

memory/1164-229-0x00000000025B0000-0x00000000029A8000-memory.dmp

\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\grqoGfbHvcE8pNDwgrNSyLtl.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\18POJgKPKrnvNNqTN8fogNDK.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

C:\Users\Admin\Pictures\dPlggHqYgZRFtzw017p9rOF3.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

C:\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

memory/828-263-0x0000000000400000-0x000000000046A000-memory.dmp

\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

C:\Users\Admin\Pictures\RsTsQ59V8FhMmA54jLWI07SJ.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe

MD5 688e00cc7d1b38d878edc5638d6dec7e
SHA1 4fb2fb755144ec40a11686ea1fb72a2f7ee4ec6b
SHA256 07756c7eb7652265ec746c1218eeb43089c5853964040238a572c0ded6b023f1
SHA512 011e0c1fda04e206de44aff5dc38f731a9056613158a427c648ac7e48dda4bc946bfd3181e973ade60b66f527a122f7a8892e661db85d271a999ebac61f61262

C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe

MD5 688e00cc7d1b38d878edc5638d6dec7e
SHA1 4fb2fb755144ec40a11686ea1fb72a2f7ee4ec6b
SHA256 07756c7eb7652265ec746c1218eeb43089c5853964040238a572c0ded6b023f1
SHA512 011e0c1fda04e206de44aff5dc38f731a9056613158a427c648ac7e48dda4bc946bfd3181e973ade60b66f527a122f7a8892e661db85d271a999ebac61f61262

memory/2732-274-0x000000000A4A0000-0x000000000A9ED000-memory.dmp

C:\Users\Admin\Pictures\hebc42jdrZPBhbTOd3bCl39f.exe

MD5 688e00cc7d1b38d878edc5638d6dec7e
SHA1 4fb2fb755144ec40a11686ea1fb72a2f7ee4ec6b
SHA256 07756c7eb7652265ec746c1218eeb43089c5853964040238a572c0ded6b023f1
SHA512 011e0c1fda04e206de44aff5dc38f731a9056613158a427c648ac7e48dda4bc946bfd3181e973ade60b66f527a122f7a8892e661db85d271a999ebac61f61262

\Users\Admin\Pictures\SPBHthQpC33nUBls9v2Bxyhl.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

memory/2732-279-0x0000000073E60000-0x000000007454E000-memory.dmp

C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

memory/364-287-0x0000000000030000-0x000000000057D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/868-288-0x00000000026D0000-0x0000000002AC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

C:\Users\Admin\AppData\Local\Temp\is-BV588.tmp\RsTsQ59V8FhMmA54jLWI07SJ.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

\Users\Admin\Pictures\OQhqu9uibkjxq4EWfbvZ8iOo.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

\Users\Admin\Pictures\hqlyz2UL2HqtVWvgN0EXwHcU.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\Pictures\mHtevgdjCHo0cC62dkYxwCXo.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\AppData\Local\Temp\Opera_installer_231004180510863364.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2732-303-0x0000000004DD0000-0x0000000004E10000-memory.dmp

C:\Users\Admin\Pictures\mHtevgdjCHo0cC62dkYxwCXo.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\xHUn3rRmprOnIedS2oWaMrFe.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\mHtevgdjCHo0cC62dkYxwCXo.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\xHUn3rRmprOnIedS2oWaMrFe.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2636-313-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2728-314-0x00000000FF050000-0x00000000FF13C000-memory.dmp

\Users\Admin\Pictures\xHUn3rRmprOnIedS2oWaMrFe.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\mHtevgdjCHo0cC62dkYxwCXo.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\xHUn3rRmprOnIedS2oWaMrFe.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2636-315-0x0000000001250000-0x000000000156C000-memory.dmp

memory/1748-316-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/828-328-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2732-329-0x000000000A4A0000-0x000000000A9ED000-memory.dmp

memory/2636-330-0x0000000005D80000-0x0000000005DC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c26dad55fcf91aecb8de6d1b354a8845
SHA1 2fbf90907361657d1e8bba240e12702e4063d1a6
SHA256 3c00b5ceb3e7fba73f40a108769eab4cfbf248febad3aabc8f1e5f2b72c1da04
SHA512 0d3e1784c89a0d0cc949026a25c570680ded1d91d43c47ffbbd1ca5742710df347f86a1abb3ba16e31da8dd51de24742fbfec7d915f36ce20ad1e9a95d2fbde9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd015483628048ab41ed62fa40edc9c4
SHA1 07d42142be13f26206307d710e4bb6a63b68b07c
SHA256 09691f9ca36e8626167c0d51014613e150b593c86b40f8572066063a3802c469
SHA512 b05e61f018989fe5503a7b9ab20316a3b3d062fcb24ab442a6c22764ffbb28f71e27ab0e509e82d9f431ae6009e5e5c5236bcebfaa5bf2dd3080ce497c6f4946

memory/828-360-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 133722fb5d2b10e2fe1be434681597bd
SHA1 5a3da129af51aadd13a8fe82149c5c564bd1ab8f
SHA256 faf0dec3aa509fd8f4b67007bd664d5ab95e4c6f5ff6e6bcaa20cfa4f97a339d
SHA512 eeb8a5bcb1af73a356721334aa48067e4408abe07ebb33df9938cced6cc504fe9e4354179ab06e20579897646b37c0c6ae34354848b4cf9ba80a2b2cd7bcb675

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 cfe42fb539635566f925adc4471f1f92
SHA1 6931687c3b13dfe110f23cb85da16019ea296031
SHA256 d2860ab8df16926b9353f372ec8ac3b56fcaf7eaa65b9d1d9fab0afbad86fdc7
SHA512 0b917d9f2875035f33e7b6d70c2a42cd16d7c5bdb44861f7f2a6f1aed71e35704fa4e103cd25342c6d2ca552a20b4b6c24c9c1989616ad3238e9d946d7f04ed1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db4af3394a99048935a4fdadae8a9b1c
SHA1 627dd95c346117403a5cf2fb50465c9ccb2dd42d
SHA256 d4eab14b7fc004d10dcc5e51c8b7292c60e52a1f368ce9688f6cac12eb6d72c4
SHA512 d3705f0683953feff1217bf644bfc7d1e0f5add35834bcbe8af41eb1e27ba0d46210e52f3ed75fcb7732801e52beb3233d18546ebf5334c9669d331e8232d582

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c0a52c097459c587818b83128a90bc2
SHA1 0a75ef3c2b854e565a24ecd57d4b3aa8f2ae50d6
SHA256 277a04759abd5c1a4bbb29fe1b5280695dc5bc3214ca058f632ba799e717fd4f
SHA512 065d038208dd491cde15ff540f0e0c4fb37f6931ad3a7cc9dfbc92d93eb7c60d743272142d5b8e1a6d0621de98fb976b7c3b3c8581540ec8e9331a81f26ed7bc

C:\Users\Admin\AppData\Local\Temp\072593121573

MD5 263724363b231efa4ab2604970023ece
SHA1 4f61d056ca62a574c77d18355cd5eeb9d70981a5
SHA256 4bb2073321d108404c7e58040434758c2143eb64718eec797bb3eca0ea6e3639
SHA512 005f6c76aa79f33d7e236ad3624078c900e0ff73d961fe4d6e6d38c4f3bc90c3c971a94542acb2ca688ea067bc79d399c00a526cc19d9305ba46f604d7b65682

C:\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-CLEPK.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2036-429-0x000000013F4A0000-0x000000013F9E3000-memory.dmp

memory/1536-430-0x0000000000100000-0x0000000000184000-memory.dmp

memory/1536-431-0x00000000007F0000-0x0000000000852000-memory.dmp

memory/1536-432-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

memory/2636-436-0x0000000005D80000-0x0000000005DC0000-memory.dmp

memory/2728-437-0x0000000003200000-0x0000000003371000-memory.dmp

memory/2728-438-0x0000000003380000-0x00000000034B1000-memory.dmp

memory/2636-439-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/1748-440-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1536-441-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/1536-442-0x0000000002010000-0x000000000206E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d986dee3f9ae5d55bc279faefed16e0
SHA1 6ec29be67bb0168db2e5d2ba9251f4405cf23e88
SHA256 0f52cc401ee91423f612cfbf90b22866919598eaa16612ffd1a28727609002c6
SHA512 feb0d6b6063859563fb3a0d44d816151cfe5a9245c23ae4923439a4e1d287e77f7abb13e0eba4c3ba11b8f63e4004d937d85d4edf5b4c018eb7e3aea30997621

\Users\Admin\Pictures\Opera_installer_231004180523733364.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c50f544660fac85cdf6db6473f430188
SHA1 25bf0f0c202953da7e1adc6135edfc6feff5257a
SHA256 7144bda2a4c6882d582d8594995b0a5c309676e00387dad953398037c2bc16a1
SHA512 d51378190e2fede1abec453f31c125418ef543146f4bf4c11da340b45c7aaa7bc7d544771ba01a1ab7ee35e545406ae29cee35ff49e8b9cba4dc5501a5166acc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 992399e02e045a0aa9f88f49833f8e9b
SHA1 1c091df3dbed84d0c3b03d355aa36bb2b895d687
SHA256 233ecff397a59e0a4cf3e18070eef9163b848634ffb4e443df6f6029026962f1
SHA512 f0ceeca5109d24f41fa075203836d99883a21bfdf35273efc9dff486aaba1ba6f2e3711a94b74cedb737f626ebb866e46ebf7b32bdd3597e7240eae9841d4ac5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4NT35UGJJEI9YYN86MRC.temp

MD5 992399e02e045a0aa9f88f49833f8e9b
SHA1 1c091df3dbed84d0c3b03d355aa36bb2b895d687
SHA256 233ecff397a59e0a4cf3e18070eef9163b848634ffb4e443df6f6029026962f1
SHA512 f0ceeca5109d24f41fa075203836d99883a21bfdf35273efc9dff486aaba1ba6f2e3711a94b74cedb737f626ebb866e46ebf7b32bdd3597e7240eae9841d4ac5

memory/2608-559-0x000000001B180000-0x000000001B462000-memory.dmp

memory/1748-558-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2608-560-0x0000000001F10000-0x0000000001F18000-memory.dmp

memory/2608-563-0x000007FEEDB60000-0x000007FEEE4FD000-memory.dmp

memory/2608-576-0x0000000002490000-0x0000000002510000-memory.dmp

memory/2608-577-0x000007FEEDB60000-0x000007FEEE4FD000-memory.dmp

C:\Program Files\DVD Maker\JYUHIBMPKW\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/1224-593-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2608-598-0x0000000002490000-0x0000000002510000-memory.dmp

memory/1224-601-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2608-602-0x0000000002490000-0x0000000002510000-memory.dmp

C:\Program Files\DVD Maker\JYUHIBMPKW\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/2608-590-0x0000000002490000-0x0000000002510000-memory.dmp

memory/2636-592-0x0000000005D80000-0x0000000005DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2608-651-0x000007FEEDB60000-0x000007FEEE4FD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8LS29.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-8LS29.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

\Users\Admin\AppData\Local\Temp\is-22EGV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1536-665-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-22EGV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-22EGV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/972-658-0x000000006C800000-0x000000006CDAB000-memory.dmp

memory/972-667-0x0000000001F90000-0x0000000001FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8LS29.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/972-679-0x000000006C800000-0x000000006CDAB000-memory.dmp

memory/2132-680-0x0000000000240000-0x0000000000241000-memory.dmp

\Program Files (x86)\LightCleaner\LightCleaner.exe

MD5 b1c46e53e92ce5c1b673a60b2db081ac
SHA1 6ef5e9f1ee2f0a325c43c2d92447310097f9f5b3
SHA256 ef4b529c5f506bf8a58522aed1e5ae7ebfec2155130e90bd92f9403883046489
SHA512 a6708c915b68cabc62b8a356c91e1e4d8facd5b5c28050d39dd8c0486d0e84440d6f75b4bdd78c348d44138a1686b152f6042fdaae0f5d0fce3a31aa5b9b46a5

memory/2728-686-0x0000000003380000-0x00000000034B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2636-682-0x0000000005D80000-0x0000000005DC0000-memory.dmp

memory/2036-693-0x000000013F4A0000-0x000000013F9E3000-memory.dmp

memory/2132-694-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1748-698-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2004-701-0x0000000000660000-0x0000000000760000-memory.dmp

memory/2004-702-0x00000000002C0000-0x0000000000311000-memory.dmp

memory/828-704-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1224-700-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2004-705-0x0000000000400000-0x00000000005C7000-memory.dmp

\Users\Admin\AppData\Local\Temp\35-4cea9-d31-26dbf-81d5fe71d6bf9\Jarujavaewu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2616-707-0x0000000002520000-0x0000000002521000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2036-710-0x000000013F4A0000-0x000000013F9E3000-memory.dmp

memory/972-759-0x000000006C800000-0x000000006CDAB000-memory.dmp

memory/868-760-0x00000000026D0000-0x0000000002AC8000-memory.dmp

memory/1164-761-0x00000000029B0000-0x000000000329B000-memory.dmp

memory/972-762-0x0000000001F90000-0x0000000001FD0000-memory.dmp

memory/868-763-0x0000000000400000-0x0000000000D66000-memory.dmp

memory/1164-764-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/1164-765-0x0000000000400000-0x0000000000D66000-memory.dmp

memory/2004-780-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\20721200960305538931861414

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2004-816-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/1688-818-0x0000000000400000-0x00000000005BD000-memory.dmp

memory/1164-820-0x0000000000400000-0x0000000000D66000-memory.dmp

memory/3040-823-0x0000000002550000-0x0000000002948000-memory.dmp

memory/3032-824-0x0000000002750000-0x0000000002B48000-memory.dmp

memory/1164-825-0x0000000000400000-0x0000000000D66000-memory.dmp

memory/868-826-0x0000000000400000-0x0000000000D66000-memory.dmp

memory/364-829-0x0000000000030000-0x000000000057D000-memory.dmp

memory/2448-831-0x000000013FC40000-0x0000000140183000-memory.dmp

memory/1400-848-0x00000000023E0000-0x0000000002844000-memory.dmp

memory/1688-860-0x0000000000400000-0x00000000005BD000-memory.dmp

memory/2432-864-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2448-865-0x000000013FC40000-0x0000000140183000-memory.dmp

memory/1400-924-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/1400-925-0x00000000035C0000-0x0000000003DB2000-memory.dmp

memory/1400-927-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1400-929-0x0000000003FC0000-0x0000000004100000-memory.dmp

memory/1400-931-0x0000000003FC0000-0x0000000004100000-memory.dmp

memory/1400-932-0x0000000000330000-0x0000000000331000-memory.dmp

memory/3040-930-0x0000000000400000-0x0000000000D66000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 18:04

Reported

2023-10-04 18:07

Platform

win10v2004-20230915-en

Max time kernel

73s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LuagND1HddSaGm1I5i7DGTfc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tJKJVkT6BW1YCgPkpACNDdcq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SuVTBcxXJrme9065wdWVRCaN.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vsylEdQCWqeI0v91DzyUGRVq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n8cJNtUrZ1wyhvqkXuei7XYe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec7Meoa72EgUKLXhkP8XO6Uj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kEf2FlqYrhN2kpZgKczIY17J.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JygwonIPj7HoEyMcOzrUdp57.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rB2ksK0BnonigkPVSBJf5Tna.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gOQaOMp0SxkEdJfAt2x1gfll.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O2gbCQQULZl7S3CAopLiDBi3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe N/A
N/A N/A C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe N/A
N/A N/A C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe N/A
N/A N/A C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe N/A
N/A N/A C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp N/A
N/A N/A C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp N/A
N/A N/A C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QKKUU.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe N/A
N/A N/A C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042051\\s6.exe" C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Gogebihohy.exe\"" C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LightCleaner\is-FGK0J.tmp C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-RRS8R.tmp C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-JBDHU.tmp C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-EP7AC.tmp C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
File created C:\Program Files (x86)\Windows Defender\Gogebihohy.exe C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
File created C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\Windows Defender\Gogebihohy.exe.config C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-6HPHM.tmp C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2152 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4100 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe
PID 4100 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe
PID 4100 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe
PID 2184 wrote to memory of 3288 N/A C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2184 wrote to memory of 3288 N/A C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2184 wrote to memory of 3288 N/A C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3288 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\schtasks.exe
PID 3288 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\schtasks.exe
PID 3288 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\schtasks.exe
PID 3288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\System32\powercfg.exe
PID 4100 wrote to memory of 4704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\System32\powercfg.exe
PID 4100 wrote to memory of 4704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\System32\powercfg.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2608 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2608 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4100 wrote to memory of 3760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe
PID 4100 wrote to memory of 3760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe
PID 4100 wrote to memory of 3760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe
PID 4100 wrote to memory of 460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe
PID 4100 wrote to memory of 460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe
PID 4100 wrote to memory of 460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe
PID 4100 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe
PID 4100 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe
PID 4100 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe
PID 4100 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe
PID 4100 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe
PID 4100 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe
PID 2608 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2608 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2608 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4100 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe
PID 4100 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe
PID 4100 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe
PID 4704 wrote to memory of 440 N/A C:\Windows\System32\powercfg.exe C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp
PID 4704 wrote to memory of 440 N/A C:\Windows\System32\powercfg.exe C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp
PID 4704 wrote to memory of 440 N/A C:\Windows\System32\powercfg.exe C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp
PID 4100 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe
PID 4100 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe
PID 4100 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe
PID 4752 wrote to memory of 2084 N/A C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp
PID 4752 wrote to memory of 2084 N/A C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp
PID 4752 wrote to memory of 2084 N/A C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp
PID 4100 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe
PID 4100 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe
PID 4100 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe
PID 440 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp C:\Users\Admin\AppData\Local\Temp\is-QKKUU.tmp\_isetup\_setup64.tmp
PID 440 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp C:\Users\Admin\AppData\Local\Temp\is-QKKUU.tmp\_isetup\_setup64.tmp
PID 4100 wrote to memory of 4572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe

"C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf_JC.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe

"C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\mQB2H1sot5O0p7L027DmW41K.exe

"C:\Users\Admin\Pictures\mQB2H1sot5O0p7L027DmW41K.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe

"C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp" /SL5="$601E4,5025136,832512,C:\Users\Admin\Pictures\mQB2H1sot5O0p7L027DmW41K.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe

"C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe"

C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe

"C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe"

C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe

"C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe"

C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe

"C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe"

C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe

"C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp" /SL5="$501FC,491750,408064,C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe"

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

"C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\is-QKKUU.tmp\_isetup\_setup64.tmp

helper 105 0x448

C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe

"C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe"

C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe

"C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe"

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2f8,0x2fc,0x300,0x2d4,0x304,0x6e6a8538,0x6e6a8548,0x6e6a8554

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\kmLQl0CKd1RafIz8s2HGBGVJ.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\kmLQl0CKd1RafIz8s2HGBGVJ.exe" --version

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

"C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2640 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231004180515" --session-guid=02cdff78-8964-4a57-a826-c72e36790171 --server-tracking-blob=NjgyNDQ0NjliY2QxMTUwOWRiNDA3NDg3NzZjZDVjNGY1NTdmNjRmNGE2NDg1ZGI0MGM0MjNkZDliNjNmZmNlNzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ0MjcwMy42ODQwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjMmI0OTZkOS1kYjM1LTQxNGItYmViNi02Y2IyZjQwY2I1NmYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3804000000000000

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6d618538,0x6d618548,0x6d618554

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

"C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 808

C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp" /SL5="$30244,833775,56832,C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe" /VERYSILENT

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe

"C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe

"C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x55e8a0,0x55e8b0,0x55e8bc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 link.storjshare.io udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 172.67.216.81:443 flyawayaero.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
US 172.67.180.173:443 potatogoose.com tcp
US 188.114.97.0:443 justsafepay.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.122:443 download.opera.com tcp
NL 185.26.182.94:443 features.opera-api2.com tcp
US 8.8.8.8:53 demo.seafile.com udp
US 8.8.8.8:53 download3.operacdn.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
GB 95.101.143.176:443 download3.operacdn.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 94.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 136.0.77.2:443 link.storjshare.io tcp
DE 52.219.169.142:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 142.169.219.52.in-addr.arpa udp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2152-0-0x00007FF6C50E0000-0x00007FF6C54BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mkxqpso1.qhb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2084-11-0x00007FFEF8FF0000-0x00007FFEF9AB1000-memory.dmp

memory/2084-10-0x00000233B58D0000-0x00000233B58F2000-memory.dmp

memory/2084-12-0x00000233B5950000-0x00000233B5960000-memory.dmp

memory/2084-14-0x00000233B5950000-0x00000233B5960000-memory.dmp

memory/2084-13-0x00000233B5950000-0x00000233B5960000-memory.dmp

memory/2084-17-0x00007FFEF8FF0000-0x00007FFEF9AB1000-memory.dmp

memory/2152-19-0x00007FF6C50E0000-0x00007FF6C54BE000-memory.dmp

memory/2152-18-0x00007FFF16A90000-0x00007FFF16C85000-memory.dmp

memory/2152-20-0x00007FFF16A90000-0x00007FFF16C85000-memory.dmp

memory/4100-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4100-22-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/4100-23-0x0000000005710000-0x0000000005720000-memory.dmp

C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\TlK7UbviUmEIdGrohp877QPd.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\mQB2H1sot5O0p7L027DmW41K.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\mQB2H1sot5O0p7L027DmW41K.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4704-80-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\mQB2H1sot5O0p7L027DmW41K.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

C:\Users\Admin\Pictures\Zt76iCVCGtGGb3EN6rtQsRQd.exe

MD5 1c7175316b4cef5d06929b6908f420b1
SHA1 03fb9f6b311e4b14dbfd9e75dd7312927e65c139
SHA256 6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
SHA512 13160ca4b9c01884800d0af0b985c7f6a2a5fa5e8648f7db1663291b0ee835c6d5a9bf1e821ab45ada7828cbe9abe807c776453757383f226c97e92fde2f51ae

C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\mG8DAgtkavYjE40tHMiroqJS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

C:\Users\Admin\Pictures\OJv0Bu7XXb7mLxAG5DIvMpRX.exe

MD5 abaf32bc252ee749d515445ca119eba5
SHA1 cad9934e6c68bd6e483b0363eee8e76ddc9c95de
SHA256 ba742938e7ea66c99fa579563aafdc0c0d5a8e8d9f3d5f736aa21a3d493fcf6a
SHA512 4651fbbc7dcce9be524e9939bec773f11a470beaf098ebfd9d4216567a4078a6f735d4aea3a1d9e4951720fc3c4c6d711791f32d683ea66e2b4234608024fb58

memory/4752-140-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

memory/3760-157-0x0000000000190000-0x00000000004AC000-memory.dmp

memory/4752-163-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3760-147-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

C:\Users\Admin\Pictures\LaYtv6w66qy0v3ipxALm7OiT.exe

MD5 73f34e79aa511ce95baceb7f50e62057
SHA1 8824ee7b75cb26c6d2e942a3cf249b430f640df0
SHA256 f98f673388c81128af080e82fcbb5bfa9a542f82e6c7d33feb114402a314bcad
SHA512 0b66b5c97c876612d317f6bbbcb7052bd5db5d26b3011640e14d312b0f4d5294d596449f81fb456af01093403c389cc16b216e823b1f8d153a92c8cc998700ce

C:\Users\Admin\Pictures\c0vp9z44mcWqa0SdECasRmi7.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\rxjullc7sYrgm0Z8sKX1ASGC.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\z86GncNyuMMdrUKFxE0eVczP.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310041805093392640.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3760-212-0x0000000004E30000-0x0000000004ECC000-memory.dmp

memory/2084-213-0x0000000000670000-0x0000000000671000-memory.dmp

memory/3760-217-0x0000000004EF0000-0x0000000004F56000-memory.dmp

C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/4572-218-0x00007FF7F6D30000-0x00007FF7F6E1C000-memory.dmp

C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2640-210-0x0000000000260000-0x00000000007AD000-memory.dmp

C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/3760-205-0x00000000050C0000-0x0000000005282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QKKUU.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/3760-187-0x0000000004D90000-0x0000000004E22000-memory.dmp

C:\Users\Admin\Pictures\Jxskl4hS0qiDNZT1uXKEneru.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

C:\Users\Admin\AppData\Local\Temp\is-B96F8.tmp\c0vp9z44mcWqa0SdECasRmi7.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/3760-178-0x00000000054A0000-0x0000000005A44000-memory.dmp

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

memory/440-164-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Users\Admin\Pictures\T3hNDyZWCOhagRUEgpQOM8sH.exe

MD5 20c7fc8e1395597d37da31b8b42dd889
SHA1 f7761976e5e99ddbd188d1517a5bd472c65a310b
SHA256 f6037cd5d501ac9605b6449d78b4c11ff6ed08feaf232563a049b0607a9950cc
SHA512 1fb39d5ff86a66615b4dfdb2191afb710cb41626edef6d45828bc8f2dd305362747583462188d03fdba6afe1d2d3d2a4645b8539401254a29557bd05788bca27

C:\Users\Admin\AppData\Local\Temp\890696111233

MD5 fa10c58fb12ffafd9c7034b1f3f43a48
SHA1 30d572ec82bf7aaa4dd1f34fdeb6c0ec0831864e
SHA256 fb002f4b81cd372b086e7305017e3fd48f4f000246673e691493e7cb4c3e5939
SHA512 5323765a159795e58b4ac68b4251c7cbb108b31e912a7beea8fdf77a28c51e7aab1c90fa1420ca348e0f4c4c78d47df1b48759d0670d8209b74fcf7569f89e33

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310041805140892004.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2004-235-0x0000000000260000-0x00000000007AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 a5fa0cbdbbb74d6cf28c0c48703efa6a
SHA1 c3a2902e79da6612fee788a7a45bad8907ca125d
SHA256 6f0274a0e17ea613a840cd89a838151a3bbf145dbbedccbff9efc7ab762b82e1
SHA512 32c5f73cff6cac5ec11da474c3b55c397a471e9e61774b67fc7fdead6a375cf4cfadba61bab65f7081a23e866c5daffb75b2c974d7eed98c38a87ccbe079f8e7

memory/3760-253-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

C:\Users\Admin\AppData\Local\Temp\is-EE2QE.tmp\mQB2H1sot5O0p7L027DmW41K.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4752-254-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310041805147924832.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4832-264-0x00000000001C0000-0x000000000070D000-memory.dmp

memory/4832-263-0x00000000001C0000-0x000000000070D000-memory.dmp

memory/440-272-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

memory/4100-273-0x0000000005710000-0x0000000005720000-memory.dmp

memory/2548-275-0x0000000000260000-0x00000000007AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310041805168232548.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310041805147924832.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 a5fa0cbdbbb74d6cf28c0c48703efa6a
SHA1 c3a2902e79da6612fee788a7a45bad8907ca125d
SHA256 6f0274a0e17ea613a840cd89a838151a3bbf145dbbedccbff9efc7ab762b82e1
SHA512 32c5f73cff6cac5ec11da474c3b55c397a471e9e61774b67fc7fdead6a375cf4cfadba61bab65f7081a23e866c5daffb75b2c974d7eed98c38a87ccbe079f8e7

C:\Users\Admin\Pictures\kmLQl0CKd1RafIz8s2HGBGVJ.exe

MD5 ab834ace35d893475c62d1c93dbc760d
SHA1 5121c046b6c0db3e98340315a2a8820d738dfab7
SHA256 f44cb3a73f8da453de9aa8fa5d21231af55329f3455d9c45e278bd6a60348102
SHA512 af84bea97d4d20f045bc598afe4a253efc73232aea303893409c3f6da530b2964db097b47c25b7a5d54a282398526415b3fd83677c73832f1dcc52dac26c77d4

memory/4704-238-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3760-287-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 a5fa0cbdbbb74d6cf28c0c48703efa6a
SHA1 c3a2902e79da6612fee788a7a45bad8907ca125d
SHA256 6f0274a0e17ea613a840cd89a838151a3bbf145dbbedccbff9efc7ab762b82e1
SHA512 32c5f73cff6cac5ec11da474c3b55c397a471e9e61774b67fc7fdead6a375cf4cfadba61bab65f7081a23e866c5daffb75b2c974d7eed98c38a87ccbe079f8e7

memory/472-289-0x0000000000260000-0x00000000007AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231004180518136472.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4100-220-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 03b49fea4247afac1835d43f7b095815
SHA1 9701865c35095ccdb361e6b41ad73643cb77ab0e
SHA256 29786e331e1fd166f1aeb9e150f76b2064dba566fa2a7da41cf618c7375e21d0
SHA512 eb42165f8597bbbbc3750d5a1de8a83b013f7e967c69df0c17d8960b4ed6a97f545ef80fdef8f53dc80b37a32fe2f86d142c3a6d9f75d956dd643a3f3c9a4b17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 a1423dcf1cd60e10112b60331becaa50
SHA1 cb08f6e1ce1139bdd3ef16fab1a363c75cbd450d
SHA256 1758946ea943dc9dd62b67e317df2aba967db466edad3bd9b812ab8917fda7b3
SHA512 7998ce954a0579dc597cc76f73075757a252962e071049c4a25f72ae322d13babeee7e2c2ae5b65fec0adda3fcb3a360bb17fae69d15ab3ee21057dfacd79fe6

memory/2552-319-0x00007FF6C3AD0000-0x00007FF6C4013000-memory.dmp

memory/2640-316-0x0000000000260000-0x00000000007AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 03b49fea4247afac1835d43f7b095815
SHA1 9701865c35095ccdb361e6b41ad73643cb77ab0e
SHA256 29786e331e1fd166f1aeb9e150f76b2064dba566fa2a7da41cf618c7375e21d0
SHA512 eb42165f8597bbbbc3750d5a1de8a83b013f7e967c69df0c17d8960b4ed6a97f545ef80fdef8f53dc80b37a32fe2f86d142c3a6d9f75d956dd643a3f3c9a4b17

memory/2084-311-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3760-323-0x0000000006200000-0x000000000672C000-memory.dmp

memory/3760-327-0x0000000007270000-0x000000000727A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2004-331-0x0000000000260000-0x00000000007AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-434U4.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/4216-336-0x000002844C9E0000-0x000002844CA64000-memory.dmp

memory/440-337-0x0000000000400000-0x000000000071C000-memory.dmp

memory/440-335-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/4216-338-0x000002844E5C0000-0x000002844E622000-memory.dmp

memory/4216-339-0x00007FFEF7CA0000-0x00007FFEF8761000-memory.dmp

memory/2548-340-0x0000000000260000-0x00000000007AD000-memory.dmp

memory/4216-345-0x000002844E630000-0x000002844E68E000-memory.dmp

memory/4572-344-0x0000000003310000-0x0000000003441000-memory.dmp

memory/3760-346-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/4572-347-0x0000000003190000-0x0000000003301000-memory.dmp

memory/4216-341-0x000002844E620000-0x000002844E630000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2084-353-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2552-371-0x00007FF6C3AD0000-0x00007FF6C4013000-memory.dmp

memory/440-386-0x0000000000400000-0x000000000071C000-memory.dmp

memory/5248-387-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/472-398-0x0000000000260000-0x00000000007AD000-memory.dmp

memory/4216-400-0x00007FFEF7CA0000-0x00007FFEF8761000-memory.dmp

memory/4704-397-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Program Files\Windows Security\TSRGHMWVGK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\is-FEOU6.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\4b-825cf-c83-34988-acfde579e3761\Gogebihohy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2084-424-0x0000000000400000-0x0000000000513000-memory.dmp

memory/5384-423-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/4752-431-0x0000000000400000-0x000000000046A000-memory.dmp

memory/5236-432-0x000000006C340000-0x000000006C8F1000-memory.dmp

memory/3724-433-0x00007FFEF7CA0000-0x00007FFEF8761000-memory.dmp

memory/3724-434-0x000001F6C5300000-0x000001F6C5310000-memory.dmp

memory/5248-447-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3760-449-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/3724-438-0x000001F6C5300000-0x000001F6C5310000-memory.dmp

memory/4832-453-0x00000000001C0000-0x000000000070D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-971S9.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/5384-457-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3724-459-0x000001F6C5300000-0x000001F6C5310000-memory.dmp

memory/5248-460-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3724-465-0x00007FFEF7CA0000-0x00007FFEF8761000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 dac9f39c1a5570ef4c421505dd8f491c
SHA1 a9385046574f32b5cfb9c92cd7ea28ca515c6e62
SHA256 65f4b666e3ac2e57938670ca4a0bcddfb6031c634f7cd720ca2c6aefc2c80794
SHA512 256d954615ee223e10f101ed09fa2dee18710d20928a32e094809d5dcdcf831dc30ff8f7f024a8f525d63e0747134ca99f7f9bfc988403ad89e46802bedaa24a

memory/4572-471-0x0000000003310000-0x0000000003441000-memory.dmp

memory/2552-473-0x00007FF6C3AD0000-0x00007FF6C4013000-memory.dmp

memory/3760-474-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\gykjFupo3SyPhXOgDW9vMUle.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2552-484-0x00007FF6C3AD0000-0x00007FF6C4013000-memory.dmp

memory/3760-488-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310041805151\additional_file0.tmp

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

memory/5512-557-0x00007FF672330000-0x00007FF672873000-memory.dmp

memory/4644-570-0x00007FFEF7CA0000-0x00007FFEF8761000-memory.dmp

memory/4644-572-0x0000023AE8EC0000-0x0000023AE8ED0000-memory.dmp

memory/4644-574-0x0000023AE8EC0000-0x0000023AE8ED0000-memory.dmp

memory/4644-573-0x0000023AE8EC0000-0x0000023AE8ED0000-memory.dmp

memory/4644-584-0x0000023AE9BE0000-0x0000023AE9BFC000-memory.dmp

memory/4644-585-0x0000023AE9C00000-0x0000023AE9CB5000-memory.dmp

memory/5512-589-0x00007FF672330000-0x00007FF672873000-memory.dmp

memory/5308-604-0x0000000000DA0000-0x0000000000DC0000-memory.dmp

memory/5512-605-0x00007FF672330000-0x00007FF672873000-memory.dmp

memory/60-610-0x00007FF727230000-0x00007FF727243000-memory.dmp

memory/5308-611-0x00007FF6A11C0000-0x00007FF6A1A00000-memory.dmp