Malware Analysis Report

2025-01-02 08:58

Sample ID 231005-kfky3sbe76
Target file
SHA256 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74
Tags
amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx xmrig discovery miner persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper evasion loader spyware stealer trojan upx xmrig discovery miner persistence

Danabot

Detect Fabookie payload

Amadey

xmrig

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

Windows security bypass

Fabookie

UAC bypass

Vidar

Modifies boot configuration data using bcdedit

XMRig Miner payload

Downloads MZ/PE file

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Stops running service(s)

UPX packed file

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

.NET Reactor proctector

Checks computer location settings

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

System policy modification

Checks processor information in registry

Modifies system certificate store

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 08:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 08:32

Reported

2023-10-05 08:35

Platform

win7-20230831-en

Max time kernel

11s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cPC9hNhTyFO35abVjeStYmbQ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApmRecf83L4AMdHAaxjDf9tt.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EUzVEVYOkbgtjMQHQe0pA03v.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPoH4ufIKcG6eY75SdVZfwAE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QufULOE06TWRo721dzUVIKyd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xENDCWHDYzB4yoBeskMpSihW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xvBcyqOgzyM45Sqbu4mfLiqq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AbhnG8q5MIqYhlyqe71v4mhr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VGoGPzfNG5bLq4kb4ReyKNvO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3024 set thread context of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe
PID 1028 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe
PID 1028 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe
PID 1028 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe
PID 1028 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe
PID 1028 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe
PID 1028 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe
PID 1028 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe
PID 2736 wrote to memory of 1004 N/A C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2736 wrote to memory of 1004 N/A C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2736 wrote to memory of 1004 N/A C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2736 wrote to memory of 1004 N/A C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1028 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe
PID 1028 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe
PID 1028 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe
PID 1028 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe
PID 1028 wrote to memory of 680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe
PID 1028 wrote to memory of 680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe
PID 1028 wrote to memory of 680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe
PID 1028 wrote to memory of 680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1028 wrote to memory of 1408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe
PID 1004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\schtasks.exe
PID 1004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\schtasks.exe
PID 1004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\schtasks.exe
PID 1004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\system32\schtasks.exe
PID 1028 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe
PID 1028 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe
PID 1028 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe
PID 1028 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe

"C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe"

C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe

"C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

"C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe"

C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe

"C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe"

C:\Users\Admin\Pictures\DRHTugATuokwrRuAgxFdEzqq.exe

"C:\Users\Admin\Pictures\DRHTugATuokwrRuAgxFdEzqq.exe"

C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe

"C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe" --silent --allusers=0

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe

"C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe"

C:\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe

"C:\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\is-M9EL5.tmp\dxmJOls5p0KJWvxbo0u0I68x.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M9EL5.tmp\dxmJOls5p0KJWvxbo0u0I68x.tmp" /SL5="$80124,491750,408064,C:\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

"C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\Pictures\OkaoLpHLhEFdtnGUaUwBh3Bv.exe

"C:\Users\Admin\Pictures\OkaoLpHLhEFdtnGUaUwBh3Bv.exe"

C:\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\system32\taskeng.exe

taskeng.exe {DB13C958-D479-493A-87F1-66CC9E57F3B9} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0508201339.exe"

C:\Users\Admin\AppData\Local\Temp\0508201339.exe

"C:\Users\Admin\AppData\Local\Temp\0508201339.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "ydlZnq1wgMkqzxjOJDTBtqSI.exe" /f & erase "C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "ydlZnq1wgMkqzxjOJDTBtqSI.exe" /f

C:\Users\Admin\AppData\Local\Temp\b0-53ce6-9a0-4378b-df06a4cc63eb8\Tymywexyshae.exe

"C:\Users\Admin\AppData\Local\Temp\b0-53ce6-9a0-4378b-df06a4cc63eb8\Tymywexyshae.exe"

C:\Program Files\Internet Explorer\QGZLZCZIWF\lightcleaner.exe

"C:\Program Files\Internet Explorer\QGZLZCZIWF\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 384

C:\Users\Admin\AppData\Local\Temp\is-CNPN9.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CNPN9.tmp\lightcleaner.tmp" /SL5="$800F4,833775,56832,C:\Program Files\Internet Explorer\QGZLZCZIWF\lightcleaner.exe" /VERYSILENT

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\0508201339.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005083330.log C:\Windows\Logs\CBS\CbsPersist_20231005083330.cab

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

"C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

"C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 goboh2b.top udp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 104.21.93.225:443 flyawayaero.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 potatogoose.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
US 172.67.180.173:443 potatogoose.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
DE 78.47.27.247:80 78.47.27.247 tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
DE 52.219.169.106:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 03c611cc-8215-4943-992e-51fff4f38cd6.uuid.zaoshang.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server16.zaoshang.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.48:443 server16.zaoshang.ru tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp

Files

memory/3024-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/3024-0-0x0000000000CF0000-0x0000000000D38000-memory.dmp

memory/3024-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

memory/3024-3-0x0000000000230000-0x0000000000258000-memory.dmp

memory/3024-4-0x0000000000370000-0x000000000038A000-memory.dmp

memory/1028-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1028-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-12-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/1028-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-13-0x000000006F1C0000-0x000000006F76B000-memory.dmp

memory/1716-15-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1716-14-0x000000006F1C0000-0x000000006F76B000-memory.dmp

memory/1716-16-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1716-17-0x000000006F1C0000-0x000000006F76B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4C5E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4D1C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40f253a4f492017ef5f9f448e7b3c054
SHA1 c498a7368e20c654094cc5c0ebca41f403580139
SHA256 6c9ed7be8f35957ac5512cea10ec9db0c058997ab8e0bf52fa2cdf8e8e0e71b1
SHA512 3a9157f4f76a8ff3d88be395c16de5522f68afad9a9e7421b27c1f2ebb49e13d44164b9e065d69cfdd473043b9ce4dddefe65d95c96a6a49c6fb621bb3c02740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 007123d0d166176fe81911899e836b01
SHA1 122fe3c3ca6f560331f154324d4cbfb4c547292b
SHA256 9630a74ae0af781f2c20928ecc20facf24ee2591c3e4d3b597fbaa81451c5618
SHA512 d0ef87b71ea7c9ff33f2a5615fc395bcd68b99a1ed1c37ca3b22b3621699c9a9c18a3457c827d3c8a99dc675b6a41460e13de6dc4a05126573c18a6341e4f881

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ba962626456f2b4336fef315f2cdda3
SHA1 66c1859bfc53b974d6a31f4350523779046180f2
SHA256 c2daa742e51960b03ecbd22473c6bcc320879f1b032e347e6457b973cb91b928
SHA512 ecfd6557f89ef1ca75ad6ae51f9b8535c6338abc8adbb27e2025380696aadd94b460cd388f9f004326259d54f773c79ae90b9870878fe2d2c83f75a06ad898f9

C:\Users\Admin\Pictures\82ihI7zX4zGieanrZqcoTvvn.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbcf91d136d381d6c6655aa101693e2e
SHA1 cc9932b28090937575468a528816cb4441571f09
SHA256 927d81975b77250865024eb0ef43ece92b01e6630e1eeace98b223c6fc23b847
SHA512 9ba85b811ace14f3dd7c76dae81c9dd2c146a0f3f1c73d550a9a9485e199d60d3fd6f3d01f626fe926796a5b0443085e92b8fde10b0d15399be3977537691398

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\DRHTugATuokwrRuAgxFdEzqq.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

memory/2972-201-0x0000000002690000-0x0000000002A88000-memory.dmp

C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\DRHTugATuokwrRuAgxFdEzqq.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\DRHTugATuokwrRuAgxFdEzqq.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\DRHTugATuokwrRuAgxFdEzqq.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe

MD5 428068d4fcc466854296cb51ff67e188
SHA1 311c2cc47e5728f83ee75710b6eaa5db3369e8fd
SHA256 22bfdbd13653399050bff038b0bff024c6b22be34ffe9ec0518e3e69b35613b3
SHA512 57173140913a6360a7e9f705af1651e0fbb7566033b4a5504efcbad15c906a6168c7d7af9def2a0ffb3df85cfab31be714eef405628971394717d575d95ce915

memory/1028-209-0x0000000009EF0000-0x000000000A43D000-memory.dmp

\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe

MD5 428068d4fcc466854296cb51ff67e188
SHA1 311c2cc47e5728f83ee75710b6eaa5db3369e8fd
SHA256 22bfdbd13653399050bff038b0bff024c6b22be34ffe9ec0518e3e69b35613b3
SHA512 57173140913a6360a7e9f705af1651e0fbb7566033b4a5504efcbad15c906a6168c7d7af9def2a0ffb3df85cfab31be714eef405628971394717d575d95ce915

C:\Users\Admin\Pictures\FYhYcCmQEhaAcLrNfUkEIC9s.exe

MD5 428068d4fcc466854296cb51ff67e188
SHA1 311c2cc47e5728f83ee75710b6eaa5db3369e8fd
SHA256 22bfdbd13653399050bff038b0bff024c6b22be34ffe9ec0518e3e69b35613b3
SHA512 57173140913a6360a7e9f705af1651e0fbb7566033b4a5504efcbad15c906a6168c7d7af9def2a0ffb3df85cfab31be714eef405628971394717d575d95ce915

memory/1408-215-0x0000000000D70000-0x00000000012BD000-memory.dmp

\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2436-228-0x00000000FF840000-0x00000000FF92C000-memory.dmp

\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\B6tCsATFLsmdMmb0mDZ5v41y.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832489211408.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3690b0570568e08e36e802452b6cc4a
SHA1 a2aaa7178c9375aa3e75f57ecdea84462da382d9
SHA256 7e0a31cc667301f659ce22adf0f64dc2c5a7aa5140aef44ebba50543ffe056b6
SHA512 666002f5a5f0da5b0c4d2a189fc0828dc2e36666c799ef18f55b06a6e57dfa161a38cd69e9b1a90254d19711f8c3ab275c31b3aaadbae88721cde164319cd1b6

C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c7672ccd3ed230fd8732a75032db460
SHA1 4c9dae8b32b1a957d2fc065cdbb77f4fa48dccc3
SHA256 9e897fb361d6b0930c9c9a94dfb845a59b8e7c39ffbb9782a9cc05594f3bd17d
SHA512 bfc05de68aaba2ba123d3aa2abad23577e320eb659f9612895c096094f3631d8a09a63f4b50d9019dea1ed52d202613cfe0f4f1f92de1d2d5479ef24a2f8f44d

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/2200-308-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\dxmJOls5p0KJWvxbo0u0I68x.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\is-M9EL5.tmp\dxmJOls5p0KJWvxbo0u0I68x.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\AppData\Local\Temp\is-M9EL5.tmp\dxmJOls5p0KJWvxbo0u0I68x.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/1704-342-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\864526563203

MD5 4801814dcc88ef7d87418948b0227c89
SHA1 cd5b5cb81840cc847766086a1d1eba4e68e28801
SHA256 a69f82665a96ffcf476558ed892ff18da3e6913820429a9e067e1cea10ad7c73
SHA512 e510cf306ef53677d96aa1fd0783a0a5bf08047fa747c84110aa14f7d49c9227a9bcfa47ccd9459649e6a4648e978c5efb55491b70d62759efcb169010a6162b

C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/2292-371-0x0000000002870000-0x0000000002C68000-memory.dmp

C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\OkaoLpHLhEFdtnGUaUwBh3Bv.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\OkaoLpHLhEFdtnGUaUwBh3Bv.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/1316-378-0x0000000000130000-0x000000000044C000-memory.dmp

memory/1316-377-0x0000000074130000-0x000000007481E000-memory.dmp

C:\Users\Admin\Pictures\OkaoLpHLhEFdtnGUaUwBh3Bv.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\OkaoLpHLhEFdtnGUaUwBh3Bv.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d3890d9584ed2feca94dbeb28529bed
SHA1 9309fdc4847658b5a373f78203c9ef2b586b5079
SHA256 22b76cecc3ea18ce5fc78193ec2f32def08387579720ec75ce13d61fa7cd6943
SHA512 5a3c43daffed5adbb266a814e38c0bfd0fc6d77af006aebd7348f04d370dde95b0602e1ead5b96e7270b844252ba02689ba1c272c0641dad9183284f2284fee5

\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 511b1bc76b900b0fa9bdd7f95e42afab
SHA1 8967214b4ea94ed1d6476033e3f265150f43594c
SHA256 22f39ae9287c93138db63b5dbaa4b5fcdc871d3404fd8131d67c161d9dc813f5
SHA512 950a0a2d2cb719917e2edcb756c166062b83c0fff028416acb6d4fc2150c879124aae536a5100ff6e0f645ff76dbc84313a87686bfe3ea50dd847150a83232d8

memory/1028-419-0x0000000009EF0000-0x000000000A43D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5530e3479c67be9d364293b67534e50
SHA1 99349575ad49bf704782062093c606064fddcc4a
SHA256 a3bcb8bb345b0993c7a3adfedd023e0ac427cc94d1b6b447113233f707723b30
SHA512 60676a2311a4e5bc685b235f8d35b87374a1d76df081144a44b16d423a1f4790c86372bf2ffe5cdf90e7bc4c40bec3afe4bcf64a30964fcfe8423421a7da78c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 18f625e656d3ea1078976fbf05cea1ac
SHA1 2a1003a51511ac5c7f1655283698a00bdaa886a8
SHA256 1b4ebbb4620b737d66d6fea849c53fdd9ba6f65f051689ebf26d17634f2090eb
SHA512 cf76015901ba957eda862ec14e57bbe77bf7b24b5a4ade185e4238c2963c66a42594b5bbe3402a83c11abb8cf8ab2ec6ae9f25636fddf75490ce44b28dc226f0

memory/680-446-0x000000013F860000-0x000000013FDA3000-memory.dmp

memory/1408-447-0x0000000000D70000-0x00000000012BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-S9REO.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2948-454-0x0000000000900000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4040311ab1d2ce8ce38ddba7d70a399f
SHA1 931a3808cc091a5d31038b044862a6cb526fe39b
SHA256 798f0b444d5a69e76cbc3dafe7dde443f0e3c6e81518d4078db8bf80c37ee1ee
SHA512 e3f8f63f1ca8c3e7070fb76b4950e92a409003de52a636292ef0be8d6c04ccda95219f4b8841d5cf3926064ce441acb3e805910c12d29646f299cabe2bd0d7b3

memory/2948-465-0x0000000000150000-0x00000000001B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4RD0S0FNMYYPGZ5NV1K4.temp

MD5 e4aa31407c0d4f9578979278d0285968
SHA1 0af4ad79832c3ae3f5c302c755a4d4db79ce51a3
SHA256 6d6ef417af28e40e5e7fcd76c338f39e55eb8b9ed729a9fd7ded6e908ae40ae3
SHA512 b9202e19f293f49b36c3d4a507f8db471198b57349b60f679097f5fcc753345c851dcb60d307c8f64650bd83e846b2181948c50adca4b85ed18efde31dfa11a0

memory/2540-481-0x000000001B1A0000-0x000000001B482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/2540-483-0x00000000022A0000-0x00000000022A8000-memory.dmp

\Users\Admin\Pictures\Opera_installer_2310050833036471408.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2540-488-0x000007FEF2690000-0x000007FEF302D000-memory.dmp

memory/2540-490-0x000000000249B000-0x0000000002502000-memory.dmp

memory/2540-489-0x0000000002494000-0x0000000002497000-memory.dmp

memory/2948-491-0x0000000000880000-0x00000000008DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/680-497-0x000000013F860000-0x000000013FDA3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\qpLBSpTrzuttxCBlnBTpNW0F.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e7fc2e1d770083306af05ece327f45e
SHA1 55ca03d05e48fa31c28d2bb8d1f031d439ebd379
SHA256 b19ba902bc60ef724b35ffaa4906104d06143bfa1b0001477356d3c6609ba987
SHA512 1a77e81792f0faeaf0bed3133e20bdbc8cd712d7caa0c8770698fb0ff2329199052a353b10eb903d89e27f5fdc1ad8ba146a27fd8bf2b4583dd7de2cc9740b1d

\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\AppData\Local\Temp\0508201339.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\0508201339.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/240-514-0x0000000002340000-0x00000000027A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0508201339.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\0508201339.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 804511a4bad928554bee8f0069eec2d4
SHA1 7af7c21723b102ab10852dbb642875d2c0194d2c
SHA256 7b26d0ec231e43ddbdcbad94aa8b36d225129293eb6baae8b2a8b03a113c1b3a
SHA512 a22df954d7219bc5375ffcaabe375ed6a54eff2741ee8f66e87918fe07b4db993eeb27939f4721a7a76cb824c3113ac1e5f5f395e0703170dd22f438bc1c14f6

memory/1228-554-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1228-555-0x0000000000A63000-0x0000000000A87000-memory.dmp

memory/1228-556-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d39c4ff4ec609802a3587e420b2f183e
SHA1 9e2923dafd4b948bafe53b5e035674acef22fbdc
SHA256 ab0d8ceb1113f806c0477542a21a7063646d2ae2f36ad978a43260120b2d8cde
SHA512 9e942ee3fb09fd6cdb7e59fc71cf1c9baf4e4a66e2198c4dfceae01345125e97fb66d2d54dcc0952c6fcdc56e682e1439ed6cebb6e8edbded6c6a76c748e42ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a6be231d66ff5a0fedde6046b948604
SHA1 b2d7f85765ab03cc02c71d4822bd39528d9afaf1
SHA256 26d73caacaf76e5f14a057fe02f493eef80a18a2fd81b8e13ea6ee857a633700
SHA512 e1f3b9b7d5b4a58e8a54f3ca982f4c2e55ea4adfe86b2e16796cb83ede1408dbf04f03257b982bd3f5491c804aa34e2ca9cd5cd7a512314d8c9ba67456b6c4c0

C:\Users\Admin\Pictures\d27EBzyaEEuj6wMk4Klv9m6o.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\ydlZnq1wgMkqzxjOJDTBtqSI.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfe64d6e3a082d2dd5f9505b2d563610
SHA1 2f75f315f4fefc4ef6f6d1ac9bd35289fccd56de
SHA256 ab4899aadf15318cde2887dea81e3c7bbaffb83c1c0c748be716f62b869d8273
SHA512 e30852b8f93af753d4ad0a3712287f80b3283055ad5570aaa0bb316c268188ef28ca12a5ba3d2e0852123a77ceb1bbc6dbb1bd811230dfb3b9dc00935237ba0b

C:\Users\Admin\Pictures\YXNEgRG5S5Ct8EHAii8o329A.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/2272-610-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\25840417702812013277887363

MD5 01f2acb6e6f16f4fe0ccccc34df6c63c
SHA1 96e95fece952611a918795123267adf1d6e9fa0a
SHA256 37ecf45ee954a12e4d53a11db087a7deb28fd18754be6cd0e2434a14db69484d
SHA512 2e2ccf9f0c7e99fca386af0e5c671dd2c70308f48b2ebaa942a2dc2f0f893ba0ebf88c814a771558f1e694bdc12caa76800ef55649a1422d71046d6e2c961d57

memory/2272-656-0x0000000000280000-0x00000000002D1000-memory.dmp

memory/2272-655-0x0000000000A53000-0x0000000000A81000-memory.dmp

memory/2272-654-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1408-665-0x0000000000D70000-0x00000000012BD000-memory.dmp

memory/240-667-0x0000000000400000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3de852a0fa8e4ecf436f21289ce087dc
SHA1 6544f166c6d57a613924808cd37c3b4d2ebe870e
SHA256 94373a9c508f945e464bf7c3ee796c673c84664eeb3dc2c0fb8bb45720e6225a
SHA512 dda3b2a81735bacb3aa04c917746742eeeaf1b12055553aabf1f13b22c4e2651bccbd68ddb2172ee0de6464b0253e7ff5a34a1ee3e3fcb2dc1fd2e48e495e166

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61431ca4bef828b78e1d2a3b804a7d78
SHA1 d5ac90f90c8c35fa5c43e0e6c40375f4c808aed4
SHA256 90b3938415b08b10f53b69d93e4cdc63ba25d194f5a8fc2ca3df53614d211392
SHA512 ebd2796986a056346d2299037caa209d119c957febcc3f82af2729b110c0a59c43efd8a9fb32e26838343a28fbf5e1b34bdaadfc1c17d51ae60d383a93ccbb72

memory/2560-763-0x0000000000400000-0x0000000000414000-memory.dmp

memory/240-764-0x0000000003560000-0x0000000003D52000-memory.dmp

memory/240-769-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/240-770-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/240-772-0x0000000003EF0000-0x0000000004030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJB39.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/240-775-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/240-778-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/240-792-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/240-797-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/240-807-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/1372-796-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2560-808-0x0000000000400000-0x0000000000414000-memory.dmp

memory/240-809-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/240-810-0x0000000003560000-0x0000000003D52000-memory.dmp

memory/240-820-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/240-819-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/240-821-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2836-822-0x0000000000430000-0x0000000000B02000-memory.dmp

memory/240-825-0x0000000003560000-0x0000000003D52000-memory.dmp

memory/240-855-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/240-856-0x0000000002340000-0x00000000027A4000-memory.dmp

memory/240-857-0x00000000027B0000-0x0000000002C77000-memory.dmp

memory/2836-858-0x0000000000400000-0x0000000000401000-memory.dmp

memory/240-860-0x0000000002E10000-0x0000000003288000-memory.dmp

memory/2836-862-0x0000000002610000-0x0000000002E02000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7b94c2e8fcb19908636dfcc46575e75
SHA1 614704184111eb68cc49be6bee52ab9783605e70
SHA256 a736026d44edd5ae5c1777300ce409830df0214c1a14ed5c2fd7154449b20274
SHA512 e42d38bd0b97fc94fc0e891d193c85e2cc1a04797b70df475cff82d208fa9b95d600115c65b6f2dd60547d892d607337919dea8b86053c5013157201fba5b080

memory/240-863-0x0000000003561000-0x0000000003D52000-memory.dmp

memory/2836-865-0x0000000002610000-0x0000000002E02000-memory.dmp

memory/2836-861-0x0000000002E10000-0x0000000002F50000-memory.dmp

memory/2836-859-0x0000000002E10000-0x0000000002F50000-memory.dmp

memory/2836-911-0x0000000002610000-0x0000000002E02000-memory.dmp

memory/2836-912-0x0000000002610000-0x0000000002E02000-memory.dmp

memory/2948-913-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

memory/2200-922-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1108-928-0x0000000019B90000-0x0000000019E72000-memory.dmp

memory/1108-932-0x0000000000F70000-0x0000000000FF0000-memory.dmp

memory/1108-931-0x0000000000D70000-0x0000000000D78000-memory.dmp

memory/1108-935-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

memory/1316-936-0x0000000005DA0000-0x0000000005DE0000-memory.dmp

memory/1108-937-0x0000000000F70000-0x0000000000FF0000-memory.dmp

memory/2436-938-0x0000000003270000-0x00000000033E1000-memory.dmp

memory/2436-939-0x00000000033F0000-0x0000000003521000-memory.dmp

memory/2292-940-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/2292-941-0x0000000002C70000-0x000000000355B000-memory.dmp

memory/2836-955-0x0000000002610000-0x0000000002E02000-memory.dmp

memory/1108-954-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

memory/2292-957-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1108-956-0x0000000000F7B000-0x0000000000FE2000-memory.dmp

memory/2836-953-0x0000000000430000-0x0000000000B02000-memory.dmp

memory/1872-958-0x000000006CAA0000-0x000000006D04B000-memory.dmp

memory/2972-959-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2972-960-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1180-962-0x0000000002830000-0x0000000002831000-memory.dmp

memory/1872-961-0x00000000003F0000-0x0000000000430000-memory.dmp

memory/2292-969-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2972-970-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1316-975-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2656-977-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/2656-976-0x00000000002D0000-0x00000000002F0000-memory.dmp

memory/1316-978-0x0000000005DA0000-0x0000000005DE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 08:32

Reported

2023-10-05 08:35

Platform

win10v2004-20230915-en

Max time kernel

136s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsLr62njBHqaX8HIeZAckld7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LGdKNKuN8QHGYeIO6Icy6arj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4F43GhBaTO8FRsh6lE5uqUC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jumiSuj0wARas3u5BDbeBpmV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zWPNpmdPFHwutHcohEV3P5C0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z0veiDJV5nfweihXMMdIIwoO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lAtKKcuBfIbIYoGg2Ug30RuR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NZhL08fTQbkWP9fxGiRu1Ncl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfAJcT04HRqJjZAi6F38AeFr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QQaxsmmcNOJyuBuIA7PuXPAS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dmqszZC9UUYwX2LRbXkqEcHh.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GKf4QWJlUIX1H2SfHNUDujvz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zdZWZdsFpyZuuoyMWBzWrlfI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe N/A
N/A N/A C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe N/A
N/A N/A C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe N/A
N/A N/A C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe N/A
N/A N/A C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe N/A
N/A N/A C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe N/A
N/A N/A C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe N/A
N/A N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
N/A N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-I9MCH.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Hilupugice.exe\"" C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2504 set thread context of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 1036 set thread context of 4960 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1036 set thread context of 2012 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-BBL99.tmp C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\Windows Mail\Hilupugice.exe.config C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-V0C3R.tmp C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-88735.tmp C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-6OS7V.tmp C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-AO6U4.tmp C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
File created C:\Program Files (x86)\Windows Mail\Hilupugice.exe C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe
PID 2504 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 2504 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
PID 644 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe
PID 644 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe
PID 644 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe
PID 644 wrote to memory of 3392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe
PID 644 wrote to memory of 3392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe
PID 644 wrote to memory of 3392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe
PID 644 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe
PID 644 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe
PID 644 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe
PID 644 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe
PID 644 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe
PID 644 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe
PID 644 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe
PID 644 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe
PID 644 wrote to memory of 4672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe
PID 644 wrote to memory of 4672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe
PID 644 wrote to memory of 4672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe
PID 644 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe
PID 644 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe
PID 644 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe
PID 644 wrote to memory of 4412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe
PID 644 wrote to memory of 4412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe
PID 644 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe
PID 644 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe
PID 644 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe
PID 644 wrote to memory of 4612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe
PID 644 wrote to memory of 4612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe
PID 644 wrote to memory of 4612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe
PID 644 wrote to memory of 3880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 644 wrote to memory of 3880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 644 wrote to memory of 3880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 3256 wrote to memory of 2284 N/A C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3256 wrote to memory of 2284 N/A C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3256 wrote to memory of 2284 N/A C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3880 wrote to memory of 4680 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 3880 wrote to memory of 4680 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 3880 wrote to memory of 4680 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp
PID 4612 wrote to memory of 4468 N/A C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp
PID 4612 wrote to memory of 4468 N/A C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp
PID 4612 wrote to memory of 4468 N/A C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp
PID 3880 wrote to memory of 2120 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 3880 wrote to memory of 2120 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 3880 wrote to memory of 2120 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 2284 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\sc.exe
PID 2284 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\sc.exe
PID 2284 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\System32\sc.exe
PID 3880 wrote to memory of 740 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe
PID 3880 wrote to memory of 740 N/A C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"

C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe

"C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe"

C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe

"C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe"

C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe

"C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe"

C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe

"C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe"

C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe

"C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe"

C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe

"C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe"

C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe

"C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe"

C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe

"C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe"

C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe

"C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe

"C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe"

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

"C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp" /SL5="$90042,491750,408064,C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe"

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6e9b8538,0x6e9b8548,0x6e9b8554

C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp" /SL5="$D0060,5025136,832512,C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe" --version

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

"C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005083301" --session-guid=45cf1ddb-bf0c-4275-bce8-0949bfe6b252 --server-tracking-blob=M2M3ZmY1NjkwYjc1ZDc4N2MyZTUwMjBhNTA4N2Y5Nzg1MjJkNjkxYzJkODczOTdmZWU5OTBjZGIwM2ViZDJmMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ5NDc2OS4yMzM4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIwNWM4NmZhZC1iMWRlLTQ1MTEtOWMzOC0zZjE5NjJkNWZjOTQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C05000000000000

C:\Users\Admin\AppData\Local\Temp\is-I9MCH.tmp\_isetup\_setup64.tmp

helper 105 0x43C

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6d1d8538,0x6d1d8548,0x6d1d8554

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe

"C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe

"C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp" /SL5="$20254,833775,56832,C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x103e8a0,0x103e8b0,0x103e8bc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 lycheepanel.info udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 d062.userscloud.net udp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 136.0.77.2:443 link.storjshare.io tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 188.114.96.0:443 justsafepay.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 25.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 228.49.193.212.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 136.0.77.2:443 link.storjshare.io tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.1:443 m7val1dat0r.info tcp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 3.5.134.122:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 122.134.5.3.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
CA 174.138.115.8:7001 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 8.115.138.174.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp

Files

memory/2504-0-0x00000000008F0000-0x0000000000938000-memory.dmp

memory/2504-1-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2504-2-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/2504-3-0x0000000005B80000-0x0000000006124000-memory.dmp

memory/2504-4-0x00000000056D0000-0x0000000005762000-memory.dmp

memory/2504-5-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2504-6-0x00000000052A0000-0x00000000052AA000-memory.dmp

memory/2504-7-0x00000000054F0000-0x0000000005518000-memory.dmp

memory/2504-8-0x0000000005570000-0x000000000558A000-memory.dmp

memory/1948-10-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/644-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-12-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/1948-9-0x0000000002C40000-0x0000000002C76000-memory.dmp

memory/1948-13-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/1948-16-0x0000000005820000-0x0000000005E48000-memory.dmp

memory/2504-15-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/644-17-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/1948-18-0x00000000057A0000-0x00000000057C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jtmk4vr.nxm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1948-24-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/1948-25-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/1948-30-0x0000000006110000-0x0000000006464000-memory.dmp

memory/1948-31-0x0000000006610000-0x000000000662E000-memory.dmp

memory/1948-36-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/1948-48-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\LSUOMqYseUAwOXs1ca6PLL8A.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\asJz3Wi5ZWhGL0C2Icmmqhiu.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\fkRKXn8A75uIypa33o63cZmP.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\V71tkHLqHhwEkCkgCNMAOQRD.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\IDQWvVVvY4eJTT4pmH6mbRRQ.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

memory/1948-189-0x0000000006AF0000-0x0000000006B22000-memory.dmp

memory/1948-205-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

memory/3880-208-0x00000000001E0000-0x000000000072D000-memory.dmp

memory/4612-209-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3392-207-0x0000000005480000-0x0000000005642000-memory.dmp

memory/1948-210-0x0000000006B30000-0x0000000006BD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832537533880.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1948-216-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

memory/2024-212-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3392-192-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1948-190-0x0000000070040000-0x000000007008C000-memory.dmp

C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3392-178-0x0000000000630000-0x000000000094C000-memory.dmp

C:\Users\Admin\Pictures\Ygv7ST2F6ZFlAnH3fKjXzIbo.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/1948-140-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\Pictures\qE1aTSnAJwC07qDHLeZOqPWB.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\fYlZk043JZTSEYiwXhIPG3Ed.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\aHzHxZXmicww2ABmRWrb374l.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\WqECWfD5FXHSdaK7Fn34puIm.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\HBPO4pH43O6aIX0l1Cn2LiAH.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\PknD4cGukChNCeo4PS3rKaDf.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4612-227-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4412-224-0x00007FF7BEF90000-0x00007FF7BF07C000-memory.dmp

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/3392-230-0x0000000005E80000-0x0000000005E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R00EL.tmp\aHzHxZXmicww2ABmRWrb374l.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832583474680.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1948-236-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4680-243-0x00000000001E0000-0x000000000072D000-memory.dmp

memory/1948-252-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/2868-253-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1948-255-0x0000000007EF0000-0x000000000856A000-memory.dmp

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1948-263-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/4468-264-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832599252120.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050832599252120.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2120-271-0x00000000002B0000-0x00000000007FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

memory/644-256-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/1948-273-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/1888-272-0x00007FF739CE0000-0x00007FF73A223000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 144459f5e50c0c4208ecf15495c97c0c
SHA1 c0f30c6bde5c66abbe44d7f1bf50e18968fdeb15
SHA256 3ee48ab76daeec72ffa59ee884455f0b389d4b991808fc1d72c03ebe7ab10fb2
SHA512 df736e8ac331224ba6c95191df81a48653d69c3372c35c4594c0f5927aa216deda02b386662704acfa7d17d4a619ee3eb166ee8f710a075ff1dcfcd5a2efe73b

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

memory/4612-308-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I9MCH.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\Pictures\9qCwPGsBZN5QBoVnnIGt1ZJN.exe

MD5 8465d125b855b7ad68e50c1b72ba0885
SHA1 ac614586799a32428f39f591d042bf522740b235
SHA256 7779a1daf011819fb4fb63bf7991289cf4db4833acf4164d66c97ae3da88912a
SHA512 d05df66326dd1f560b854a0f5abdde60ec7cf355827a7d566997d35ca5ad35cb58c3833a577180cdc08a714624bb914273682f6d8fcd9301c4010f70dc0e7214

memory/2272-313-0x00000000001E0000-0x000000000072D000-memory.dmp

memory/1948-316-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/4412-318-0x0000000002AF0000-0x0000000002C21000-memory.dmp

memory/3392-319-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4412-317-0x0000000002970000-0x0000000002AE1000-memory.dmp

memory/740-311-0x00000000001E0000-0x000000000072D000-memory.dmp

memory/1948-310-0x0000000007BC0000-0x0000000007C56000-memory.dmp

memory/3880-309-0x00000000001E0000-0x000000000072D000-memory.dmp

memory/2024-306-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231005083305331740.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4468-328-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2868-327-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1888-325-0x00007FF739CE0000-0x00007FF73A223000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050833149092272.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1948-343-0x0000000007B30000-0x0000000007B41000-memory.dmp

memory/3392-344-0x0000000005E80000-0x0000000005E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PPGD8.tmp\PknD4cGukChNCeo4PS3rKaDf.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 5da28974df31e368552466416e3a7a00
SHA1 81e73bf0fef6419406bc20ff8179228b3b2ac82d
SHA256 951324a286a3ed4ab25994926f2154a27755defb5d1e7bddfe59d3c6754f19c2
SHA512 2e7eef8d6335d48d2817e040359aede6552d7856dcff242fd071cc8a57894b1a12d379ec1555ab0caf305549236fe3a9f0f3cc8d8ed0833551b14f509f8cea58

memory/3100-351-0x0000018E4ADB0000-0x0000018E4AE34000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 5da28974df31e368552466416e3a7a00
SHA1 81e73bf0fef6419406bc20ff8179228b3b2ac82d
SHA256 951324a286a3ed4ab25994926f2154a27755defb5d1e7bddfe59d3c6754f19c2
SHA512 2e7eef8d6335d48d2817e040359aede6552d7856dcff242fd071cc8a57894b1a12d379ec1555ab0caf305549236fe3a9f0f3cc8d8ed0833551b14f509f8cea58

C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-SO17V.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/3100-359-0x0000018E4C9B0000-0x0000018E4CA12000-memory.dmp

memory/2272-366-0x00000000001E0000-0x000000000072D000-memory.dmp

memory/3100-358-0x00007FF9A5750000-0x00007FF9A6211000-memory.dmp

memory/3100-369-0x0000018E652C0000-0x0000018E6531E000-memory.dmp

memory/2868-372-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4468-373-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3392-374-0x00000000068C0000-0x0000000006DEC000-memory.dmp

memory/1940-375-0x0000020ADFC00000-0x0000020ADFC10000-memory.dmp

memory/3100-376-0x0000018E4C9A0000-0x0000018E4C9B0000-memory.dmp

memory/1940-378-0x00007FF9A5750000-0x00007FF9A6211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\890696111233

MD5 e7752636c6828b23049d31b1439917d4
SHA1 71d0969519b7f0eb292740dfeebde0e8bd5282ec
SHA256 1c00f77f296151d6e326a5cad814ac0e6c6177b7e5ce1e48c0a97f48e3d4ad8e
SHA512 2255918e77c4907a78c4170ab433da734acbfd8f93782594731c5c192294f6d89f44afce84235bc5bcec6c5dfb9f9d85c74a2bf3dd1472e02d4f74246d6a7b2d

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/4468-417-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/4612-435-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\a3-69407-d4b-b3d9e-d9a88f3b4ce7d\Lyxozhonaegu.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/5548-469-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ILDYHJSIIG\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\additional_file0.tmp

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-S45M7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2868-528-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 e24b109b1e22f23d1ce52ea03813517f
SHA1 1555e32b75a456c64ecd66ed326eb3afe8aaf587
SHA256 f89ae96c916e0731de3f17bdda5e85a1170436eb8ce274373ef55e2d8f7c98d6
SHA512 a75335e513d8225b633193f96df4377b88a3ec74e29d829db75d82585c7c973685e14656bc08d28e1271a3a3d7f89c594eb0818c90925c11b4d9dadb48858ef3

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

memory/2024-540-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 5da28974df31e368552466416e3a7a00
SHA1 81e73bf0fef6419406bc20ff8179228b3b2ac82d
SHA256 951324a286a3ed4ab25994926f2154a27755defb5d1e7bddfe59d3c6754f19c2
SHA512 2e7eef8d6335d48d2817e040359aede6552d7856dcff242fd071cc8a57894b1a12d379ec1555ab0caf305549236fe3a9f0f3cc8d8ed0833551b14f509f8cea58

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050833011\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\is-CE2Q1.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/5876-572-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5548-573-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1888-576-0x00007FF739CE0000-0x00007FF73A223000-memory.dmp

memory/1036-582-0x00007FF79A070000-0x00007FF79A5B3000-memory.dmp

memory/1036-622-0x00007FF79A070000-0x00007FF79A5B3000-memory.dmp

memory/2012-627-0x00000000007D0000-0x00000000007F0000-memory.dmp

memory/1036-628-0x00007FF79A070000-0x00007FF79A5B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/4960-645-0x00007FF6F0F90000-0x00007FF6F0FA3000-memory.dmp

memory/2012-646-0x00007FF605500000-0x00007FF605D40000-memory.dmp