Malware Analysis Report

2025-01-02 08:37

Sample ID 231005-fe8xasaf53
Target 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
SHA256 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
Tags
amadey fabookie discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23

Threat Level: Known bad

The file 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23 was found to be: Known bad.

Malicious Activity Summary

amadey fabookie discovery evasion persistence spyware stealer trojan upx

Fabookie

Amadey

Detect Fabookie payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

UPX packed file

Uses the VBS compiler for execution

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses 2FA software files, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Kills process with taskkill

Modifies registry class

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 04:48

Reported

2023-10-05 04:53

Platform

win7-20230831-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1372 set thread context of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0baba4347f7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000002ac18471fedcf313155d034d3971e10b32f1438c5e6e798aa8b3baa7d0e691c1000000000e80000000020000200000004a9f0f5f221d2357fe226efb334df8a5b428229d874fd7b330fa037faa76f22d2000000039995a79c647c81dbd0496fbc21a536d1b28d1c2054c713b82527965d6a19d3540000000279585b5d299696c45e67ca98378b2cbc9005257e4e35e437f023b5c586638a7bf1170f0f88cb810ad4318cdbdfaa99fe6e53c4c774d3c13cef7ef12ca8e4c23 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402643176" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CD85D21-633A-11EE-9ADF-D2B3C10F014B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000411c67d3bb6444b6112f2de4752da9e231d49047d8bdce4715e0bd203b8bad14000000000e8000000002000020000000c89f029f60c9a74c70611d20e5a5300947282fd85dc2cd260e2f1410a81d9c239000000007dfa8dc1e061340d5f6563fe445a8fbb9336041ef0e97d715c95d7308f7ae2b6b2be044254525cb0367d68e062cc4062964238d0a6962ca6e41638a1207be707a3861c43563b680b435c4dea9f771cf56330bc69c748a33f10eddd8e95ac86052979dba39771bada9a946aaab9330d8daa164b3b3629ab5ad57d6f21ba736a8914a5b300490ff64237cf3e39e93337640000000d1b84345e920b2ccab6c7829879819b4bd88bea12d0f99e2f611b129d13db390f8617374363cf4f003aca23825eb795a41e2be561c669d904ddb41ec23d9bf17 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
PID 1824 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1824 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1824 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1824 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2612 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2612 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2612 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2612 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=regtlibv12.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1372-0-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/1372-1-0x0000000000900000-0x000000000095E000-memory.dmp

memory/1372-2-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/1372-3-0x0000000001D60000-0x0000000001DA4000-memory.dmp

memory/1372-4-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/1824-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1824-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1824-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1372-10-0x00000000740C0000-0x00000000747AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5A15.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5AD3.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b39b83cab45b312fcb910547ded41cf
SHA1 d86892d6e1effbaba04f0265e61edfe9e0a257c6
SHA256 a3ac6f20ba2f7f4fbd78388d038ffdd221a9579bca36eadbd603764413cda595
SHA512 243dc45080d60d6b0cafb12e74e3544253f4427cf91d29c778117e39fffd4d0d0b9a4952bb269b2dfa5434a9a2e72803ec00b71cc7d364afff631a3a011ecd14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37b6561a8c13e814ce37eb85764a575d
SHA1 5ec95ef7cf50d4538347b7c102d98d8eac4edf7c
SHA256 0e734cdfe5a457fefe6a79cf7663d6ebb51c5683f9b6d4af87429c45d5f0d3e5
SHA512 a7a99dad868786f4fa089084db249439af57d0861e73896946337495e40d1b4f0cf11ff9008e82781fe45a2e3ebd6aebe2327e814192cf658699f8f86b7254ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98c1d5c075870a51bcce709303075fd2
SHA1 e876a162dd3d0e87321179a50c5c33ca514b66d4
SHA256 dffe3002a5cf539534aa1fe3258f2dd0cab5b72d018260ae7e205d95671608a7
SHA512 7a88d207afa159c4b719a292645fbaa030800a5804a32347a7a6cd028af380f206f64c20066fda46a60547b9908e684ff4676ce1ea933b4cd238f2587ee6f36c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d8eaacf24b21c3efd4dcef9b1bce4d7
SHA1 f463c676b8d521cb83a2cf3001bcf927fe960e2a
SHA256 928e72947f5b4a4400d11935199c42f482e283587503a3637e55ff8d14455259
SHA512 5a914c6bd6962658bd0caa4a68af7fd4b6e34d2bc11e37e6beea4b091724f79318d0b7961e5c42b28524ed3dbab0fd6652107fa9030057d7c4b6c5f3492e01d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa3b30f18d7609e6c06e29a22d9cf81d
SHA1 3008c1ce0f85682ff323183dada15af90c1de4ab
SHA256 40d9b46170c72416c1dda072e665fe5bd1611423e8716e393652c29bbea7fb16
SHA512 ac6ee59690cbad7356e936127e1c8bf3c80a0284d3826425e3328a56e0659a4fb207d198611aad9f95dad2bb52ae5e87fdd8cfa73497de588affb71f944bded8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e0e608868fa0ad3dd0f64cf6e0cc39d
SHA1 30865872db65511ffca370c48f2800a1501c70c5
SHA256 c0be02d65060f721fe289705774583aec3deca9639275fd9dac591bc5a9dfe58
SHA512 ffbfcd1efcc75c780db9bf6e77f65bdba4074ab39bcea3da31092809f3ec4297afdfd27c22564f105d63a397270bbddf9a8f2732ff8cf544ab5013d465286f90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd585e780e14827b78c772ed83d2408d
SHA1 8217700989e3e3ed24d2a77fd0df44aef2550313
SHA256 4e0b865d0767a7127f5028aad0ff27e11ae8d4628e843f446b14ee76cc29a55a
SHA512 f0f37a07662457d1093188a8a8ae2a6bb7727ee8a05d4d5eac15c90bd50bb95031c9566086f87f5d3d139b53aa6d6906f532e864518778ec627a9c93cbf6791c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08c99e711ff8916972f30efcada20397
SHA1 1a59e9c901687af6b4e12da6b8b9b9994e0eb049
SHA256 47d17863d3c8ee094fdfa363db46aa4b2477151d05d98cad3148ac95a4e9fd5b
SHA512 e2885a25e1cfd09d5497facdbe1700ae3dba13a30f73a31fa23f1851e7d63ec88545841ab3d0f8edeb10f499d81944c4bf5d4edbdafef10ba4a9dfd18c6ee337

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0abe3d8635de1cbc6d0e861a6a68a0d7
SHA1 59c4151b309bbf9af4a50f6502dc23e40ba6f085
SHA256 08e69d6e37df0953d6f21561c90784e14b9bc6e8017c526209cb71890b59a38d
SHA512 69b3de0a0c44ce036a238e8547b4fb58b48a53655c78b62e7471a142b1ac3d9deb7de15c62e9a4809b85aebcc5585952e9f229aa6e4ee1193ab3f0c96d81bf01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5288a902335f93f6da39789c4d898bf7
SHA1 e7452d7ae8785a79f0d024f5b12a71911be4c2b2
SHA256 d6dbe0ef505460836d569fd01f1ae784c0048e307f1283f26d80c649a1b392ab
SHA512 45e5114d576eaf2009f9688566b541313ce9d057af64653addf93b59afa1eef55db63234464e7129dfb8ea2c00c39bd931c6d57c3e4fc8fd0922792a3c2d39c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6661734920ab7cd03429c28abbdbe7bb
SHA1 b1e8c23059c674b93b3e0504d00444938c580092
SHA256 fc8991951bcb4b21aba7b604f043c8b5ee9e7b1127cf473accbac4c734be8009
SHA512 5e4f56850fd1a98dd77f8a00f840b1962bef312a9422bb3f4a69be032f393833432661cbda09d18a328dcec9157168eab5e59d388dc3ad9b80dcf535ebe04e56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9552522d2f877a61ea93f541ea23bde8
SHA1 42bb4d3da10fa8ef66e9706b776b144ab40cad66
SHA256 0ef0676cffb7ce66a0750ea37ec216507caa7211f3e6e0f3021559314059ac13
SHA512 bc7b22839c3685e43ac0a48d5e099296fb530922c73469ba8b1cb0e3141b23dd505e77602f88bafd4cc6d140a1899c73efaae6fd53733c28ee50fea8e6599d0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7f890c30b67d10a955c6fc36a56a222
SHA1 68be5b3a5535e1dcbee5972486d0d0d35176fd71
SHA256 b25db30d82e4d88697504cf85e5b7b676d0e07324859d5db2006a000d3356241
SHA512 59d3cd3ad6cd3abc75540e224f5d718a7f903d0bf4b8246bb4033ae4aae4c3ad4548831e947e6c4edd3459ddd31f85e4a606cb8028fdd86cfeff34e04db898ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73aee622210d058db3c47a545578d41f
SHA1 8691bf5ede8b250d61260d76fd4032507483a7a5
SHA256 8488b052858661cf360aa2045d33f8b0e2986fbe05362fa6f74600aaae12bf8d
SHA512 52279a1ddd9935cbd6d66eac0e58450dcfaecdb90f6156de166eb272349b29ce1959373f62f4b0fe66c324f7218af50738f2cdadacc4609539fbe2fdb989a907

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10f52dc6d7234e8301f1ef51d4684142
SHA1 6d50a1338c0eab6840329cb839f3ba8bbb9dbff6
SHA256 f011693b5854d2a969e750ff1a8afe904f908476d152ea43bd063878efa97712
SHA512 6249c770dd36bcaaf679d4849fa28c3e66139438715ac0fc05ad456c697b7ed27ce6536c4bf5ae85c5ee45f12c14888742bccbe3ae49b2169db6820707720096

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10d13cc86aa7ab8865ed585c574cd10a
SHA1 82b51523bbf2dfb6721a717eac759f12d23e57db
SHA256 8f528be4e07fd6344c8479047c13b848122bcd9ba3c253f72dd4c90fb5cd6a44
SHA512 25410a0c4dd6169c70de0e39891450292dfebd1cde89d88738d782dad7aae5b0e961f2064666461bf919071f908743278b0c1592b27817f86e09c00aae0342fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29562f5651df160fbd6dc7f4f3326f35
SHA1 f009537706a05fb429b1810ee6df76554fcbfbae
SHA256 6549754a1f9cc37123fb5a40e4177fb7578e0f0a06f81f8a07b16f02510547c0
SHA512 12d9e5ca6b6348943d6c9cb3f8b3e657b78f8930e719bf83e7f92a5d735388d342158fbf87de491f40784b47f3eda7d59981b7242c5a8af86cf1a79a94ec1245

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71fbb6a838997c6ed197ad6452d1039b
SHA1 eece032641e482e40f5416afd39f1dc98f03b24c
SHA256 240bb59fe484110709a58640c03cfb7a2fd416996210fbfa5ffdb8a936b54fb3
SHA512 24cd2f70dea15b40690aaf648ebc2d0af984678db7075bcdba8e09608a1726bf7af88c69b322469c4f723d5027217a4faf9aac2770da9d6768eafd0eb7926811

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fbe8da8d9e54f61dfba0f8ea1ee7927
SHA1 d1927ed11f9ca388999bc116ada5ad196338ea3b
SHA256 029c933642a9c858ab21c72d456f2314f06fb8d17bbb8238e9fe668a3c6eef78
SHA512 63e4d55d79361d7395478e3a0331486d98adecb75af3e75937f76f0fba0427145cb7982fed5888295946ce4cfa7c2e2287616929c4736b77ec1c4743623b1d59

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 04:48

Reported

2023-10-05 04:53

Platform

win10-20230915-en

Max time kernel

145s

Max time network

306s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qyLsy9oHqcMQ7e2nYWMx2InV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JRGagaRiLzdD9EJuieGJQJop.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YmIfxdlTiTvjlQM4qJO1mcmy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTBNfeWLlTPCCsy5dAlrmKYc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KX5KUFLVQFWZ0WD83iiktQxe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0zzyL0RoLWh76PDAePJHl8NQ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4tl7KSh2mjylIBC1Ur3RehLC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9cPNBVPUG1xQdZhphb8FIRMF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NGDeHHOEzRY4hvQu8xN95KSH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dHLVdY9nai1ednNKr6omc3F.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D4Yzi4cz7USLL9CF100POGoK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe N/A
N/A N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
N/A N/A C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
N/A N/A C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe N/A
N/A N/A C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe N/A
N/A N/A C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe N/A
N/A N/A C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp N/A
N/A N/A C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
N/A N/A C:\Users\Admin\Pictures\yfmXdpNkivJUbnAuaZluYQaB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LOLHD.tmp\yfmXdpNkivJUbnAuaZluYQaB.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SEYMHOEBFL\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45-67a73-713-63eb2-2cbe5e67f7dca\ZHesuqumexo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
N/A N/A C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Qugaelaefuta.exe\"" C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-J5GTK.tmp C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-VV5HE.tmp C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-8DRLR.tmp C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Qugaelaefuta.exe C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Qugaelaefuta.exe.config C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-0M6F3.tmp C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-M6JNJ.tmp C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\syswow64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\1396046564.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\syswow64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000_Classes\Local Settings C:\Windows\syswow64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe N/A
N/A N/A C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\sc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4224 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 4396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\system32\schtasks.exe
PID 4984 wrote to memory of 4396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\system32\schtasks.exe
PID 4984 wrote to memory of 4396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\system32\schtasks.exe
PID 4984 wrote to memory of 3848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe
PID 4984 wrote to memory of 3848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe
PID 4984 wrote to memory of 3848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe
PID 4984 wrote to memory of 216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4984 wrote to memory of 216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4984 wrote to memory of 216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4396 wrote to memory of 5020 N/A C:\Windows\system32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4396 wrote to memory of 5020 N/A C:\Windows\system32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4396 wrote to memory of 5020 N/A C:\Windows\system32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 216 wrote to memory of 4896 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 4896 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 4896 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 4572 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 4572 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 216 wrote to memory of 4572 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4572 wrote to memory of 3668 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4572 wrote to memory of 3668 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4572 wrote to memory of 3668 N/A C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe
PID 4984 wrote to memory of 3340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe
PID 4984 wrote to memory of 3340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe
PID 4984 wrote to memory of 3340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe
PID 5020 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4984 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe
PID 4984 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe
PID 4984 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe
PID 4984 wrote to memory of 5008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe
PID 4984 wrote to memory of 5008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe
PID 4984 wrote to memory of 5008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe
PID 5020 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe
PID 4984 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe
PID 4984 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe
PID 4984 wrote to memory of 4820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe
PID 4984 wrote to memory of 4820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe
PID 4984 wrote to memory of 4820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe
PID 4984 wrote to memory of 660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe
PID 4984 wrote to memory of 660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe
PID 5012 wrote to memory of 4752 N/A C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp
PID 5012 wrote to memory of 4752 N/A C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp
PID 5012 wrote to memory of 4752 N/A C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp
PID 4984 wrote to memory of 4308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe
PID 4984 wrote to memory of 4308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe
PID 4752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp C:\Windows\system32\backgroundTaskHost.exe
PID 4752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp C:\Windows\system32\backgroundTaskHost.exe
PID 4472 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe

"C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe"

C:\Users\Admin\Pictures\PvFoTkqLbylWf8m0Dv0M54eA.exe

"C:\Users\Admin\Pictures\PvFoTkqLbylWf8m0Dv0M54eA.exe"

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

"C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe" --silent --allusers=0

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x27c,0x2c0,0x6f0e8538,0x6f0e8548,0x6f0e8554

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe" --version

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

"C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=216 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005044836" --session-guid=290a3b32-0c5f-4042-a78a-df60068a214b --server-tracking-blob=MjIxYTk0MzJmMDQ4MDE2ZTdhYTk3MmMwZTE2MjIzMGI5MTRiNjZjYmM3YWU1ZWQzYjczY2YwNzJmNjY1MzBmYjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ4MTMxMi43ODY4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI0NTEyYWVlMi0wMTMzLTQ3ZTAtYjhiZS1lZDIwYzNhMDY2MjgifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6404000000000000

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6e228538,0x6e228548,0x6e228554

C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe

"C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe"

C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe

"C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe

"C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe"

C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe

"C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe

"C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q0SUI.tmp\_isetup\_setup64.tmp

helper 105 0x3B8

C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe

"C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe"

C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp" /SL5="$D005E,5025136,832512,C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe

"C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x133e8a0,0x133e8b0,0x133e8bc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1396046564.exe"

C:\Users\Admin\AppData\Local\Temp\1396046564.exe

"C:\Users\Admin\AppData\Local\Temp\1396046564.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "gZ7GZFTFCsV2sDpvI23OnGkH.exe" /f & erase "C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe" & exit

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "gZ7GZFTFCsV2sDpvI23OnGkH.exe" /f

C:\Users\Admin\Pictures\yfmXdpNkivJUbnAuaZluYQaB.exe

"C:\Users\Admin\Pictures\yfmXdpNkivJUbnAuaZluYQaB.exe"

C:\Users\Admin\AppData\Local\Temp\is-LOLHD.tmp\yfmXdpNkivJUbnAuaZluYQaB.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LOLHD.tmp\yfmXdpNkivJUbnAuaZluYQaB.tmp" /SL5="$402DC,491750,408064,C:\Users\Admin\Pictures\yfmXdpNkivJUbnAuaZluYQaB.exe"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\SEYMHOEBFL\lightcleaner.exe

"C:\Users\Admin\AppData\Local\Temp\SEYMHOEBFL\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\45-67a73-713-63eb2-2cbe5e67f7dca\ZHesuqumexo.exe

"C:\Users\Admin\AppData\Local\Temp\45-67a73-713-63eb2-2cbe5e67f7dca\ZHesuqumexo.exe"

C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DVH90.tmp\lightcleaner.tmp" /SL5="$402F6,833775,56832,C:\Users\Admin\AppData\Local\Temp\SEYMHOEBFL\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 720

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\1396046564.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1740

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s seclogon

C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe

"C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe"

C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe

"C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 bolidare.beget.tech udp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 188.114.97.0:443 jetpackdelivery.net tcp
RU 45.8.228.16:80 goboh2b.top tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 d062.userscloud.net udp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 justsafepay.com udp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
NL 185.26.182.117:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 117.182.26.185.in-addr.arpa udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 172.67.222.167:443 m7val1dat0r.info tcp
US 8.8.8.8:53 167.222.67.172.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:80 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
NL 149.154.167.99:443 t.me tcp
GB 91.109.116.11:443 connectini.net tcp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
DE 52.219.169.202:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
US 8.8.8.8:53 202.169.219.52.in-addr.arpa udp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 17.169.214.173.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 e4509c59-3337-46fe-a557-a67491b81e02.uuid.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server2.ramboclub.net udp
BG 185.82.216.48:443 server2.ramboclub.net tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
BG 185.82.216.48:443 server2.ramboclub.net tcp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 103.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp

Files

memory/4224-0-0x0000000000770000-0x00000000007CE000-memory.dmp

memory/4224-1-0x0000000073760000-0x0000000073E4E000-memory.dmp

memory/4224-2-0x0000000005130000-0x00000000051CC000-memory.dmp

memory/4224-3-0x00000000057C0000-0x0000000005CBE000-memory.dmp

memory/4224-4-0x00000000053C0000-0x0000000005452000-memory.dmp

memory/4224-5-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/4224-6-0x00000000011E0000-0x00000000011EA000-memory.dmp

memory/4224-7-0x0000000005340000-0x0000000005384000-memory.dmp

memory/4224-8-0x0000000005380000-0x000000000539A000-memory.dmp

memory/4984-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4224-15-0x0000000073760000-0x0000000073E4E000-memory.dmp

memory/4984-14-0x0000000073760000-0x0000000073E4E000-memory.dmp

memory/4984-16-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

C:\Users\Admin\Pictures\PvFoTkqLbylWf8m0Dv0M54eA.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\PvFoTkqLbylWf8m0Dv0M54eA.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\gZ7GZFTFCsV2sDpvI23OnGkH.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

memory/216-82-0x0000000000D50000-0x000000000129D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_231005044833256216.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

C:\Users\Admin\Pictures\cqxOCQeXhibuUbcgPtjZqJJR.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\Aklrbv0YpuJtiussu4E6NVZO.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

memory/2128-110-0x0000000000D50000-0x000000000129D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448336002128.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

memory/4896-127-0x0000000001260000-0x00000000017AD000-memory.dmp

memory/4896-133-0x0000000001260000-0x00000000017AD000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448358034896.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448358034896.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448364754572.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4572-147-0x0000000000D50000-0x000000000129D000-memory.dmp

C:\Users\Admin\Pictures\OuAk863rJyNs9tdh0ENpqcmp.exe

MD5 73e4867ced6034b95ea7288d60c5cd28
SHA1 7900848facba09876bcc4311e6220f136a972014
SHA256 7ebb40d552d71281c963e9a0709ca84f45f9ffd1e2b9231220c21c09ca05c5cb
SHA512 0e3e1195315693d2d51ef146aff0c60b11099110b895710d3a6d07eacd7f0ca62c493262dbaf97565839a20ac2c208790d5eb28fc87c4c29623c38f99927e1f4

C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

memory/5012-166-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\GiUJViCydjGfFVcNHtTKixAA.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\BU9id3JcjB180xYIBFvUkMWp.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3668-160-0x0000000000D50000-0x000000000129D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 3ae77a0f2a61f14e21ee96edb0238632
SHA1 1dda3d2bb46f0383ef7dbf205693678c29375646
SHA256 ba948380485253d58b6f02af1a675736f0b3b1e7fdae69a219bbe1898c630e15
SHA512 04f19407d872fdcb99e9115d72726847ff4af580fce323922adfdfd101eab613e30f94a899d4a5d4567d97411d76f18a490b09e026bd5f106c8577645e235be9

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 3ae77a0f2a61f14e21ee96edb0238632
SHA1 1dda3d2bb46f0383ef7dbf205693678c29375646
SHA256 ba948380485253d58b6f02af1a675736f0b3b1e7fdae69a219bbe1898c630e15
SHA512 04f19407d872fdcb99e9115d72726847ff4af580fce323922adfdfd101eab613e30f94a899d4a5d4567d97411d76f18a490b09e026bd5f106c8577645e235be9

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050448366783668.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\P43FEYI0wbX8aYJwmZbRi4yB.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

memory/4984-189-0x0000000073760000-0x0000000073E4E000-memory.dmp

memory/4724-198-0x0000000073760000-0x0000000073E4E000-memory.dmp

C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\sUA8C0GrSu25X5Nvx1I6WJa9.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/4724-207-0x0000000005C10000-0x0000000005DD2000-memory.dmp

memory/4752-206-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/4984-203-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4724-212-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/4724-216-0x00000000063E0000-0x00000000063F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q0SUI.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/660-213-0x00007FF637D90000-0x00007FF637E7C000-memory.dmp

memory/4724-188-0x0000000000DD0000-0x00000000010EC000-memory.dmp

C:\Users\Admin\Pictures\KRFnIoJDUmt01p4oE4wss8qw.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\TXnkleZcGJ3b0eao6bDZ4TPC.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\AppData\Local\Temp\445638973215

MD5 392b16c1da04d9f74467d9d52b15721a
SHA1 f01a54e1989f1f3a4e7dc0e771943c45f29d98e5
SHA256 bd57d4a326c3f2424e3fd6faa380d1f39b09328cd55e07cd9dcc8e1f2710a14d
SHA512 2cc1a71838057e6a8d288a9552c30af9c73c1d93995234b338245f96d12ab94b55b6710e5b0c8a93cfe20ebd51d372d1530cfb400bd381a5bbed7a84251ac9cc

C:\Users\Admin\AppData\Local\Temp\is-HDGKN.tmp\BU9id3JcjB180xYIBFvUkMWp.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/5012-265-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4724-266-0x0000000006E20000-0x000000000734C000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/4752-267-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4308-271-0x00007FF640350000-0x00007FF640893000-memory.dmp

memory/4724-273-0x00000000063E0000-0x00000000063F0000-memory.dmp

memory/4724-275-0x00000000063E0000-0x00000000063F0000-memory.dmp

memory/660-279-0x0000000002B40000-0x0000000002C71000-memory.dmp

memory/660-278-0x00000000029C0000-0x0000000002B31000-memory.dmp

memory/4724-280-0x0000000073760000-0x0000000073E4E000-memory.dmp

memory/4752-283-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4752-284-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/5012-285-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1908-289-0x00007FF8688F0000-0x00007FF8692DC000-memory.dmp

memory/4724-291-0x00000000063E0000-0x00000000063F0000-memory.dmp

memory/1908-292-0x0000021066160000-0x0000021066170000-memory.dmp

memory/1908-293-0x0000021066160000-0x0000021066170000-memory.dmp

memory/1908-294-0x00000210661E0000-0x0000021066202000-memory.dmp

memory/1908-301-0x0000021066390000-0x0000021066406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ngpbvfc.pyk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1908-317-0x0000021066160000-0x0000021066170000-memory.dmp

memory/4724-316-0x00000000063E0000-0x00000000063F0000-memory.dmp

memory/4724-338-0x00000000063E0000-0x00000000063F0000-memory.dmp

memory/660-341-0x0000000002B40000-0x0000000002C71000-memory.dmp

memory/1908-342-0x0000021066160000-0x0000021066170000-memory.dmp

memory/1908-346-0x00007FF8688F0000-0x00007FF8692DC000-memory.dmp

memory/4308-347-0x00007FF640350000-0x00007FF640893000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\sWtyaIJDbz1PNdUdd6RdWFSw.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/4308-356-0x00007FF640350000-0x00007FF640893000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/3464-382-0x00007FF7049D0000-0x00007FF704F13000-memory.dmp

memory/3848-383-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/3848-384-0x0000000000820000-0x000000000085E000-memory.dmp

memory/3848-385-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 3ae77a0f2a61f14e21ee96edb0238632
SHA1 1dda3d2bb46f0383ef7dbf205693678c29375646
SHA256 ba948380485253d58b6f02af1a675736f0b3b1e7fdae69a219bbe1898c630e15
SHA512 04f19407d872fdcb99e9115d72726847ff4af580fce323922adfdfd101eab613e30f94a899d4a5d4567d97411d76f18a490b09e026bd5f106c8577645e235be9

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

memory/1340-440-0x00007FF8688F0000-0x00007FF8692DC000-memory.dmp

memory/1340-445-0x0000021DDDAA0000-0x0000021DDDAB0000-memory.dmp

memory/1340-446-0x0000021DDDAA0000-0x0000021DDDAB0000-memory.dmp

memory/3848-467-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/1340-466-0x0000021DF6250000-0x0000021DF626C000-memory.dmp

memory/3848-469-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1340-472-0x00007FF702D60000-0x00007FF702D70000-memory.dmp

memory/1340-475-0x0000021DF6410000-0x0000021DF64C9000-memory.dmp

memory/3464-505-0x00007FF7049D0000-0x00007FF704F13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1396046564.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\1396046564.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/1340-520-0x0000021DF6270000-0x0000021DF627A000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

memory/3848-558-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

memory/1340-597-0x00007FF8688F0000-0x00007FF8692DC000-memory.dmp

memory/1340-599-0x0000021DDDAA0000-0x0000021DDDAB0000-memory.dmp

memory/1340-598-0x0000021DDDAA0000-0x0000021DDDAB0000-memory.dmp

memory/1340-600-0x0000021DDDAA0000-0x0000021DDDAB0000-memory.dmp

memory/1340-605-0x0000021DDDAA0000-0x0000021DDDAB0000-memory.dmp

C:\Users\Admin\Pictures\yfmXdpNkivJUbnAuaZluYQaB.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/4056-623-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\yfmXdpNkivJUbnAuaZluYQaB.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\is-LOLHD.tmp\yfmXdpNkivJUbnAuaZluYQaB.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\AppData\Local\Temp\is-TMJJK.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4056-650-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4600-652-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 e8d18f1f897b3e124f734f249bf0b130
SHA1 d6a5f451b3fd88a8b79a5f54894413b1907d1191
SHA256 55fe879adbf4e4ec51a09f49c9c4ca5fed2bafbc592a8e6b06f25b46903ac5fd
SHA512 c02d9da655b42dbbeab4b5175c611f6a0332c4ad1e0327c020bf2b54805b9e46db2c0775fa01485f84d350363e483791e64587c3d33bdf2ea3845560c17cd56e

memory/4272-715-0x0000000000FE0000-0x0000000001000000-memory.dmp

memory/3464-716-0x00007FF7049D0000-0x00007FF704F13000-memory.dmp

memory/5008-735-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JVU2J.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4600-763-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3188-779-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4056-776-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050448361\installer_prefs_include.json

MD5 d9919c8620bff6e0cbd3ece3c1bb3279
SHA1 8d84e1d692e6f46208ee5fa2b2e7dc2e0fd3a0b9
SHA256 d5d623b49883eeb73ac66b37a88564a32b81b1a38cf7f9b680552274d3cf08fa
SHA512 5e6f20412482b29b929cfa485d79c2f2bb450f2f4d1ed5d3fb9d1586515fc16d4598390a50bb2135e0af6b464ec175fd89bb0e46383e2af5369653a7eed2f8da