Malware Analysis Report

2025-01-02 08:10

Sample ID 231005-kg6beabe89
Target file
SHA256 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74
Tags
amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker discovery dropper evasion loader persistence rootkit spyware stealer trojan upx xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey danabot fabookie glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker discovery dropper evasion loader persistence rootkit spyware stealer trojan upx xmrig miner

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Windows security bypass

Glupteba payload

xmrig

Detect Fabookie payload

Danabot

Fabookie

Glupteba

Amadey

Vidar

XMRig Miner payload

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Blocklisted process makes network request

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Drops file in Drivers directory

Windows security modification

Drops startup file

.NET Reactor proctector

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Manipulates WinMonFS driver.

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

System policy modification

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 08:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 08:35

Reported

2023-10-05 08:37

Platform

win7-20230831-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\gCr53xvS2embNP4AgLqtoiQT.exe = "0" C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\03Y9LR0s0D2ImiH0R0QW60aN.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rhbXsGsqMZ6govp2qxnxwOod.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PlHdTlJbSWDazKx91U50vnHT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9faAooiMYryGxOYyNIje7RkE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShTkHfLJpQNjCLbrGGlN0BlJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m93sy72Q6Nw48K0DXeJjaEwG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BKRhlJoFlYJBPGn5xOLP4k8s.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAPX68D9cKAdWF8iByVf8r3A.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QHHaTVRfeWMw6AcxKc0hNMU9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2nRli5z7vYOzb3rK3JiPXOls.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
N/A N/A C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
N/A N/A C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\03Y9LR0s0D2ImiH0R0QW60aN.exe = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\gCr53xvS2embNP4AgLqtoiQT.exe = "0" C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\s6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042051\\s6.exe" C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3024 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 2620 set thread context of 2764 N/A C:\Users\Admin\AppData\Local\Temp\9516988160.exe C:\Windows\syswow64\rundll32.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231005083607.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\syswow64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature C:\Users\Admin\AppData\Local\Temp\9516988160.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\syswow64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\syswow64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
N/A N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
N/A N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
N/A N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
N/A N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
N/A N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5149283176.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 3024 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 3024 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 3024 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 3024 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
PID 2528 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe
PID 2528 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe
PID 2528 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe
PID 2528 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe
PID 2528 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe
PID 2528 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe
PID 2528 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe
PID 2528 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe
PID 1544 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1544 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1544 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1544 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2108 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe
PID 2528 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe
PID 2528 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe
PID 2528 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe
PID 2108 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe
PID 2528 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe
PID 2528 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe
PID 2528 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe
PID 2528 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe
PID 2528 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe
PID 2528 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe
PID 2528 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe
PID 2528 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe
PID 2528 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe
PID 2528 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe
PID 2528 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe
PID 2528 wrote to memory of 2432 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe
PID 2528 wrote to memory of 2432 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe
PID 2528 wrote to memory of 2432 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe
PID 2528 wrote to memory of 2432 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe
PID 1292 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe
PID 2528 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe
PID 2528 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"

C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe

"C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe"

C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe

"C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

"C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe

"C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe"

C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

"C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe"

C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe

"C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe"

C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe

"C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe

"C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe" --silent --allusers=0

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

"C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C5EEA56D-06DB-43CD-92EE-3305D253C7C3} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\5149283176.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0424379639.exe"

C:\Users\Admin\AppData\Local\Temp\5149283176.exe

"C:\Users\Admin\AppData\Local\Temp\5149283176.exe"

C:\Users\Admin\AppData\Local\Temp\0424379639.exe

"C:\Users\Admin\AppData\Local\Temp\0424379639.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9516988160.exe"

C:\Users\Admin\AppData\Local\Temp\9516988160.exe

"C:\Users\Admin\AppData\Local\Temp\9516988160.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005083607.log C:\Windows\Logs\CBS\CbsPersist_20231005083607.cab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "s6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe" & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "L0bfcOKrhK3CGi7DIdQmaqWE.exe" /f & erase "C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "s6.exe" /f

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "L0bfcOKrhK3CGi7DIdQmaqWE.exe" /f

C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

"C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe"

C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

"C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1880 -s 320

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\9516988160.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 goboh2b.top udp
US 85.217.144.143:80 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 net.geo.opera.com udp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 172.67.216.81:443 flyawayaero.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 78.47.27.247:80 78.47.27.247 tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 mediasitenews.com udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 173.214.169.17:443 tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 15c9db68-12c4-4045-89a6-8dc666d7ca67.uuid.myfastfoodguru.com udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 8.8.8.8:53 server11.myfastfoodguru.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
BG 185.82.216.50:443 server11.myfastfoodguru.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp
US 194.87.32.213:443 mediasitenews.com tcp

Files

memory/3024-0-0x0000000000DF0000-0x0000000000E38000-memory.dmp

memory/3024-1-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/3024-2-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/3024-3-0x00000000005A0000-0x00000000005C8000-memory.dmp

memory/3024-4-0x0000000000660000-0x000000000067A000-memory.dmp

memory/2528-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2528-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2528-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3024-12-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/2528-13-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/3064-14-0x000000006F760000-0x000000006FD0B000-memory.dmp

memory/3064-15-0x000000006F760000-0x000000006FD0B000-memory.dmp

memory/2528-16-0x0000000002120000-0x0000000002160000-memory.dmp

memory/3064-17-0x00000000028C0000-0x0000000002900000-memory.dmp

memory/3064-18-0x00000000028C0000-0x0000000002900000-memory.dmp

memory/3064-19-0x00000000028C0000-0x0000000002900000-memory.dmp

memory/3064-20-0x000000006F760000-0x000000006FD0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab52B4.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar52F5.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9bf3f91cba19cd074a97ae990f70d44
SHA1 33966ad17a0d1b860bcdd7d2bde96df31c699127
SHA256 1d00a8682a03be9996ccbf57617ccab3e905dd3e08441e5992247cea9ba649d4
SHA512 c21439e88894ff087eca646e0f9d0f1a15fb9d0b7e5775622d1bb3ebcf0df1a71b3d06517ff5bb740eff10141e10e5a910b9831c9db2d20ac35e7479ad0fa913

C:\Users\Admin\Pictures\asp7KXjO9kvFukdlUHNoQJvc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76a6b987a042a5c1bb6589ac26c2dafd
SHA1 ccdf6901b160c1fe7f07198b8e68afff92655894
SHA256 7653e9cf1926cfc266eb0324f039aeb6b5ac0ce909157c2a96462beb20db0a9c
SHA512 66b08002ec7555f0191d6fd3a1b2e19d4dde3652532d545aa9caf6393628fe8d7bf8250fd3cb7c242efc36826421190b4e170a578f99cb78e0cdeb7545de01a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76a6b987a042a5c1bb6589ac26c2dafd
SHA1 ccdf6901b160c1fe7f07198b8e68afff92655894
SHA256 7653e9cf1926cfc266eb0324f039aeb6b5ac0ce909157c2a96462beb20db0a9c
SHA512 66b08002ec7555f0191d6fd3a1b2e19d4dde3652532d545aa9caf6393628fe8d7bf8250fd3cb7c242efc36826421190b4e170a578f99cb78e0cdeb7545de01a0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

memory/1820-208-0x0000000002770000-0x0000000002B68000-memory.dmp

C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

memory/2528-229-0x0000000074770000-0x0000000074E5E000-memory.dmp

\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\gDzc4gFohTauCoHxEk8wR00a.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/1116-242-0x0000000002780000-0x0000000002B78000-memory.dmp

\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2528-258-0x0000000002120000-0x0000000002160000-memory.dmp

memory/2432-259-0x00000000FF690000-0x00000000FF77C000-memory.dmp

C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3060-261-0x0000000074770000-0x0000000074E5E000-memory.dmp

\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe

MD5 7cd0fcd6c7a5dc2fec9bd5c9adaaaa1b
SHA1 0c33309f6e71a9cb268fa4111d1564ee23870e66
SHA256 5487fd1fde4ff64c00c120a4e2cbf6cf57aa515f6e2585f377c54acdc3fbd308
SHA512 319e2cffbbbcead69749c5cd20e8629a520c7526f12edfb1fe33573ce5cb91efcba2ca048bc5b52c4878d55dfe9bb5a39e005a2c232e6e9ecbdadad8321d117c

memory/2528-267-0x0000000009EF0000-0x000000000A43D000-memory.dmp

C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe

MD5 7cd0fcd6c7a5dc2fec9bd5c9adaaaa1b
SHA1 0c33309f6e71a9cb268fa4111d1564ee23870e66
SHA256 5487fd1fde4ff64c00c120a4e2cbf6cf57aa515f6e2585f377c54acdc3fbd308
SHA512 319e2cffbbbcead69749c5cd20e8629a520c7526f12edfb1fe33573ce5cb91efcba2ca048bc5b52c4878d55dfe9bb5a39e005a2c232e6e9ecbdadad8321d117c

C:\Users\Admin\Pictures\zPvxgcyMsWtDSkVaav8dvn0E.exe

MD5 7cd0fcd6c7a5dc2fec9bd5c9adaaaa1b
SHA1 0c33309f6e71a9cb268fa4111d1564ee23870e66
SHA256 5487fd1fde4ff64c00c120a4e2cbf6cf57aa515f6e2585f377c54acdc3fbd308
SHA512 319e2cffbbbcead69749c5cd20e8629a520c7526f12edfb1fe33573ce5cb91efcba2ca048bc5b52c4878d55dfe9bb5a39e005a2c232e6e9ecbdadad8321d117c

C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\YQGA3GJcY597Z947I34Aj78t.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\1H546XnOtYlSeI7yPbpIhyDS.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3060-271-0x0000000000C30000-0x0000000000F4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835396683068.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\750544865377

MD5 26b76a29d006b32c3d9ccdce952c5b39
SHA1 97a3643f314edd8decda5e22f155d78272aa6790
SHA256 921631f20c27be1d2b65b0f2ae966522365d0cdc8a5427ed7505680c810777b4
SHA512 7769eccd9c098740a92043c3e1bf0046ae4c59d9713a4f7801f94fea90f9b9d816422c8ef1ac97ea08bbf3c3ec93dadb42ccbf180e8398bfe9bdbb2f0709b124

memory/3060-279-0x0000000005D00000-0x0000000005D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d51081a1cd94619239546f60d245fb3
SHA1 7866b124e9a116ee3b0b5344d13edd80b8d41aea
SHA256 c3d967fab8cf909654bfa48015736286d35bf2aafea2c6eb764dd0aea129feff
SHA512 ff9023fa8af4c4cc1609f8818f9a05364b94af99a37407abfa16001cf03bef16e5e164ef087f966e474e90fce822cbc228609a257a3be8b89284fb9a450048d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3323935cb2a5bb8b7d6b5b9dc5762974
SHA1 5de54f4c80e7bbb84a2ee2ffc571bf01364b3d00
SHA256 6bf076309e472e2e262ca6137832b044038c2d3ac0d79ee570342338b40cad72
SHA512 bf3d91f1d50bdddc560063ea0852a0f464255ccdc425fd6f3a405bc443d4d8abff4cb6e55b5afcd850590bd742a59cba4e404d09b5d44b5f8992e3ff156ff16e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c3005e9ca3eb78acca25430eb82ef6d
SHA1 1649e0c125224467085491c24c0b7ebfe2125d31
SHA256 c677c2646eb7ce921a13f1dfde1315749c7a9f45d3b633c14eecf63eb105a825
SHA512 f5a7a0e06fd3b3e32e7520aa90183f1448956e852a03b3d167c20cb5f8d65f46ad42b11813c7fe913140a968557bc46fddd4026965f757906f821ab91afcec4c

memory/3060-345-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/3060-346-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/3068-347-0x0000000000140000-0x000000000068D000-memory.dmp

memory/2432-350-0x00000000032F0000-0x0000000003461000-memory.dmp

memory/2432-351-0x0000000003470000-0x00000000035A1000-memory.dmp

memory/3060-355-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/3060-356-0x0000000005D00000-0x0000000005D40000-memory.dmp

\Users\Admin\Pictures\Opera_installer_2310050835548473068.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1116-360-0x0000000002780000-0x0000000002B78000-memory.dmp

memory/2432-361-0x0000000003470000-0x00000000035A1000-memory.dmp

memory/1116-362-0x0000000002B80000-0x000000000346B000-memory.dmp

memory/1116-363-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/644-364-0x00000000002E0000-0x000000000031E000-memory.dmp

memory/1116-365-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/644-366-0x0000000000670000-0x0000000000770000-memory.dmp

memory/644-367-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1580-368-0x0000000000750000-0x0000000000850000-memory.dmp

memory/1580-369-0x0000000000260000-0x000000000029E000-memory.dmp

C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

memory/1580-381-0x0000000000400000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c3005e9ca3eb78acca25430eb82ef6d
SHA1 1649e0c125224467085491c24c0b7ebfe2125d31
SHA256 c677c2646eb7ce921a13f1dfde1315749c7a9f45d3b633c14eecf63eb105a825
SHA512 f5a7a0e06fd3b3e32e7520aa90183f1448956e852a03b3d167c20cb5f8d65f46ad42b11813c7fe913140a968557bc46fddd4026965f757906f821ab91afcec4c

memory/2352-382-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1820-385-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1820-386-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/2352-388-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2352-387-0x0000000000730000-0x0000000000830000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\5149283176.exe

MD5 62dbbf519f3e5a050badfb02cab4652c
SHA1 ab296e6388abea10bf2dfb13007eea8807c30714
SHA256 5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4
SHA512 e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

memory/1104-424-0x0000000000860000-0x0000000000BEE000-memory.dmp

memory/1104-439-0x0000000074770000-0x0000000074E5E000-memory.dmp

\Users\Admin\AppData\Local\Temp\5149283176.exe

MD5 62dbbf519f3e5a050badfb02cab4652c
SHA1 ab296e6388abea10bf2dfb13007eea8807c30714
SHA256 5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4
SHA512 e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

C:\Users\Admin\AppData\Local\Temp\5149283176.exe

MD5 62dbbf519f3e5a050badfb02cab4652c
SHA1 ab296e6388abea10bf2dfb13007eea8807c30714
SHA256 5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4
SHA512 e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

\Users\Admin\AppData\Local\Temp\5149283176.exe

MD5 62dbbf519f3e5a050badfb02cab4652c
SHA1 ab296e6388abea10bf2dfb13007eea8807c30714
SHA256 5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4
SHA512 e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

C:\Users\Admin\AppData\Local\Temp\0424379639.exe

MD5 8c70a0939fc6c14a23b69cbb81a2c0cf
SHA1 bc6f17b4bb478800abe9f9e97ded138cefa79e83
SHA256 7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff
SHA512 5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

memory/1104-446-0x0000000005090000-0x00000000050D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0424379639.exe

MD5 8c70a0939fc6c14a23b69cbb81a2c0cf
SHA1 bc6f17b4bb478800abe9f9e97ded138cefa79e83
SHA256 7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff
SHA512 5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

\Users\Admin\AppData\Local\Temp\0424379639.exe

MD5 8c70a0939fc6c14a23b69cbb81a2c0cf
SHA1 bc6f17b4bb478800abe9f9e97ded138cefa79e83
SHA256 7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff
SHA512 5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

memory/2352-448-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\9516988160.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\9516988160.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\9516988160.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\9516988160.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\s54[1].htm

MD5 e1671797c52e15f763380b45e841ec32
SHA1 58e6b3a414a1e090dfc6029add0f3555ccba127f
SHA256 3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea
SHA512 87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

memory/2620-470-0x00000000021C0000-0x0000000002624000-memory.dmp

memory/3068-477-0x0000000000140000-0x000000000068D000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1820-490-0x0000000000400000-0x0000000000D62000-memory.dmp

C:\ProgramData\82884852392877042078557763

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2352-499-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/2352-500-0x0000000000730000-0x0000000000830000-memory.dmp

memory/1580-498-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/1116-501-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/644-502-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1116-503-0x0000000002780000-0x0000000002B78000-memory.dmp

C:\Users\Admin\Pictures\L0bfcOKrhK3CGi7DIdQmaqWE.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

memory/1104-506-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/1116-507-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2992-509-0x0000000002740000-0x0000000002B38000-memory.dmp

C:\Users\Admin\Pictures\03Y9LR0s0D2ImiH0R0QW60aN.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\gCr53xvS2embNP4AgLqtoiQT.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/892-512-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/1820-510-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1116-513-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2992-514-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/2992-515-0x0000000002B40000-0x000000000342B000-memory.dmp

memory/2992-516-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2620-517-0x00000000021C0000-0x0000000002624000-memory.dmp

memory/2620-518-0x0000000002630000-0x0000000002AF7000-memory.dmp

memory/2620-520-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/2620-521-0x0000000002BC0000-0x0000000003038000-memory.dmp

memory/2620-522-0x0000000000400000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

memory/2620-582-0x0000000003450000-0x0000000003C42000-memory.dmp

memory/2992-584-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/2620-589-0x0000000003450000-0x0000000003C42000-memory.dmp

memory/2620-593-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-594-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-595-0x0000000003E80000-0x0000000003E81000-memory.dmp

memory/2620-596-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-590-0x0000000003E20000-0x0000000003E21000-memory.dmp

memory/2620-599-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-598-0x0000000003E90000-0x0000000003E91000-memory.dmp

memory/1736-591-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2620-600-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-601-0x0000000003450000-0x0000000003C42000-memory.dmp

memory/2620-597-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2992-592-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2620-602-0x0000000004210000-0x0000000004211000-memory.dmp

memory/2620-605-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-604-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-603-0x0000000077770000-0x0000000077771000-memory.dmp

memory/2620-606-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2764-607-0x00000000002F0000-0x00000000009C2000-memory.dmp

memory/2620-610-0x0000000003EF0000-0x0000000004030000-memory.dmp

memory/2620-609-0x0000000003450000-0x0000000003C42000-memory.dmp

memory/2620-611-0x00000000021C0000-0x0000000002624000-memory.dmp

memory/2764-615-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/2764-616-0x0000000002EE0000-0x0000000003020000-memory.dmp

memory/2764-617-0x0000000002EE0000-0x0000000003020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 08:35

Reported

2023-10-05 08:37

Platform

win10v2004-20230915-en

Max time kernel

125s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9qyOmBkwtPnex7C2jHEbRxvd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ppdzsfAUUIC0uYYasc9N9tta.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WDQTBwUOqTShX7hFd7rfjCsH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JTaGlCGEBDN6ABxRmxt3kC0O.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xOvjxNiLo6TDOMCYWyXI4g7Q.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wFImm0yI3kO3fvcvshQFNjyW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3zaTB47g5E9ui35b4RhnbqxU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FLyToO9wmFLZO0s3SvYMsdeL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U6EWQgabI2nbcF76ATNus7Ch.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lhu0VAiO5WKNtGbA7gpSLggq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FRbXDCF4yPyYiF1iVvf8thTR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qzt22Isi8KhHduKY91Pxi0TL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NkGoWrt1c8wOy2gM1SPP0C5U.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe N/A
N/A N/A C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe N/A
N/A N/A C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe N/A
N/A N/A C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe N/A
N/A N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
N/A N/A C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe N/A
N/A N/A C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe N/A
N/A N/A C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe N/A
N/A N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
N/A N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4083482705.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Laejushaeluzho.exe\"" C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 972 set thread context of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 6120 set thread context of 5800 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 6120 set thread context of 5232 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Laejushaeluzho.exe C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Laejushaeluzho.exe.config C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-BHOFQ.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-UH4RG.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-IGFPS.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-EOOS0.tmp C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-ME9PU.tmp C:\Windows\System32\powercfg.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Windows\System32\powercfg.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Windows\System32\powercfg.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Windows\System32\powercfg.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 972 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 972 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4788 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe
PID 4788 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe
PID 4788 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe
PID 4788 wrote to memory of 4776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe
PID 4788 wrote to memory of 4776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe
PID 4788 wrote to memory of 4776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe
PID 4012 wrote to memory of 1956 N/A C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4012 wrote to memory of 1956 N/A C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4012 wrote to memory of 1956 N/A C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 4788 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe
PID 4788 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe
PID 4788 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe
PID 4788 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe
PID 4788 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe
PID 4788 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe
PID 4788 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe
PID 4788 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe
PID 4788 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe
PID 4788 wrote to memory of 3880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe
PID 4788 wrote to memory of 3880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe
PID 4788 wrote to memory of 3880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe
PID 4788 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe
PID 4788 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe
PID 4788 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe
PID 4788 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe
PID 4788 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe
PID 4788 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe
PID 4788 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe
PID 4788 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe
PID 4788 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe
PID 4788 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe
PID 4788 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe
PID 4788 wrote to memory of 2236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe
PID 4788 wrote to memory of 2236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe
PID 1816 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe
PID 1816 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe
PID 1816 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe
PID 1928 wrote to memory of 3364 N/A C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp
PID 1928 wrote to memory of 3364 N/A C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp
PID 1928 wrote to memory of 3364 N/A C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp
PID 1956 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\taskkill.exe
PID 1956 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\taskkill.exe
PID 1956 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\taskkill.exe
PID 1956 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2280 N/A C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp
PID 1156 wrote to memory of 2280 N/A C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp
PID 1156 wrote to memory of 2280 N/A C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp
PID 1816 wrote to memory of 5104 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe
PID 1816 wrote to memory of 5104 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe
PID 1816 wrote to memory of 5104 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe
PID 1816 wrote to memory of 2936 N/A C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe

"C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe

"C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe"

C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe

"C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe"

C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe

"C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe"

C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe

"C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe

"C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe"

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6f468538,0x6f468548,0x6f468554

C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe

"C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp" /SL5="$60214,491750,408064,C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe"

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

"C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe" --silent --allusers=0

C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe

"C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe"

C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe

"C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe"

C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe

"C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe" --version

C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp" /SL5="$A0172,5025136,832512,C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

"C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1816 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005083542" --session-guid=79f20fc2-d92f-46a3-9290-36633cebe0e4 --server-tracking-blob=MWU2MWRmYTY0MjUxNGE2YTVjZTA1Mzk1MGQ5ZGEzNGE0Yjc0YTc0ODMxMzA0YWU4YmExNDgxNWI1Nzk0Njc3YTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ5NDkzMi43MjQzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI2ZGY3YTk2My1hYjUyLTRlYjEtOGJhNy1lMjE1MWU1NTMwYzAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C804000000000000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe" /S /UID=lylal220

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6dca8538,0x6dca8548,0x6dca8554

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\is-A4UC7.tmp\_isetup\_setup64.tmp

helper 105 0x448

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4083482705.exe"

C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe

"C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe"

C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe

"C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-PI781.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PI781.tmp\lightcleaner.tmp" /SL5="$20292,833775,56832,C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe" /VERYSILENT

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Users\Admin\AppData\Local\Temp\4083482705.exe

"C:\Users\Admin\AppData\Local\Temp\4083482705.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "77syB2NX4hBYEUAdXHeHHtBW.exe" /f & erase "C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1500

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "77syB2NX4hBYEUAdXHeHHtBW.exe" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x101e8a0,0x101e8b0,0x101e8bc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\4083482705.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
DE 168.119.140.62:443 d062.userscloud.net tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 104.21.93.225:443 flyawayaero.net tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 74.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 228.49.193.212.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 136.0.77.2:80 link.storjshare.io tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.106:443 features.opera-api2.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 106.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.1:443 m7val1dat0r.info tcp
US 8.8.8.8:53 connectini.net udp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
GB 91.109.116.11:443 connectini.net tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 3.5.136.142:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 142.136.5.3.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
DE 116.202.7.149:27015 116.202.7.149 tcp
US 8.8.8.8:53 149.7.202.116.in-addr.arpa udp

Files

memory/972-0-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/972-1-0x0000000000860000-0x00000000008A8000-memory.dmp

memory/972-2-0x0000000005320000-0x00000000053BC000-memory.dmp

memory/972-3-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/972-4-0x0000000005640000-0x00000000056D2000-memory.dmp

memory/972-5-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/972-6-0x0000000005220000-0x000000000522A000-memory.dmp

memory/972-7-0x00000000054F0000-0x0000000005518000-memory.dmp

memory/972-8-0x0000000005700000-0x000000000571A000-memory.dmp

memory/2248-9-0x00000000023D0000-0x0000000002406000-memory.dmp

memory/4788-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-11-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/2248-14-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/2248-12-0x0000000004910000-0x0000000004920000-memory.dmp

memory/972-16-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4788-15-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/2248-17-0x0000000004910000-0x0000000004920000-memory.dmp

memory/4788-18-0x0000000005870000-0x0000000005880000-memory.dmp

memory/2248-19-0x0000000004EF0000-0x0000000004F12000-memory.dmp

memory/2248-25-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/2248-20-0x00000000055F0000-0x0000000005656000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fusumsql.y3e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2248-31-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/2248-32-0x0000000005D50000-0x0000000005D6E000-memory.dmp

memory/2248-38-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\77syB2NX4hBYEUAdXHeHHtBW.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\V1cFbpeg7U7N5opZmlBI70Ip.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\wheZCtXH6BQJxwHCIndNAUYm.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\z4shGHRZs0Kn08uBK7w9JlNY.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\ZVF6GRyyvLo3qXDAC9CFmNrI.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3880-199-0x0000000000450000-0x000000000076C000-memory.dmp

C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\SIVMflCnId4621ixGEGwbapX.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835352781816.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\05iVtZQ6JuhBPKVK3xbCdBKX.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1816-178-0x0000000000B80000-0x00000000010CD000-memory.dmp

C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/1928-169-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3880-202-0x0000000074CE0000-0x0000000075490000-memory.dmp

C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

C:\Users\Admin\Pictures\X7ER85KVD9XGNnvbtbWFfMrL.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/3880-211-0x0000000005290000-0x0000000005452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IVDHT.tmp\hVt41ZCWVayhkPBS9R3GbZcI.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/4084-222-0x0000000000B80000-0x00000000010CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835366844084.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\cTCUrB00kd8ZSjLWyHCjVqq7.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

memory/1156-209-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/3632-212-0x00007FF65B820000-0x00007FF65B90C000-memory.dmp

C:\Users\Admin\Pictures\hVt41ZCWVayhkPBS9R3GbZcI.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\GQ8thbaGcLtn7zGF323AorE9.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/1156-223-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2248-233-0x0000000074CE0000-0x0000000075490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835416845104.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3364-250-0x0000000000680000-0x0000000000681000-memory.dmp

memory/4776-252-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2248-255-0x0000000004910000-0x0000000004920000-memory.dmp

memory/5104-253-0x0000000000170000-0x00000000006BD000-memory.dmp

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

memory/4788-260-0x0000000005870000-0x0000000005880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835430132936.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2936-269-0x0000000000B80000-0x00000000010CD000-memory.dmp

memory/2280-263-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/2248-258-0x0000000004910000-0x0000000004920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835416845104.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4788-247-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4776-244-0x0000000002220000-0x000000000225E000-memory.dmp

memory/4776-243-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/2248-235-0x0000000004910000-0x0000000004920000-memory.dmp

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

C:\Users\Admin\AppData\Local\Temp\192544923979

MD5 ed5ddb9098f5da492b3e4405cec8c370
SHA1 0feaacf2ccfdb10cebbd08312ea057c94053c4bd
SHA256 400a50422a5f9853cc06e211887d758d8685e2449737a23a8466349286d04b0d
SHA512 11ffcd31f122eb61a88bf1e6dc637858d3ca6c83a312e2aa997201d111be0f2c8b00ba84d6867083de5e81a29e034d6661bf81adc185569c08d3c3fb3b8a3305

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 b9bde88c54fe03fd3f423f2ada213de4
SHA1 c4fd7d738cff7ed7943a27dc684fefafc4324023
SHA256 8d38abea1a31f392e5cad911551ae499f85a040a43136c7b40226131f54683f4
SHA512 64e238a76d5a35c784b389d976e45e57b4ddc83cd0dc781866218d2028df41b651f3de477ee99f81e6c2bbf2a96112990db68e0dd722f4e0244af1ac1070c61d

C:\Users\Admin\Pictures\7pMdrouKJxeyaFobp3i3YatI.exe

MD5 d9afa434f9a4f5d62c9c290df7bf6de8
SHA1 41e2f7fcd0311d09013e54b7b64a12fab0a60e2c
SHA256 1f7ba4f85a3b8bb32f97d26b5f70591820f09344a49f4ad070833c7af4c931ba
SHA512 3774a1cb641e4f7b7e56c0673283df91f2514ccc72e993d7a93a675c677e69727755d8e2664b6db1408fe868cce4d7da08f6a14d852ce723c2e2269f8d003e76

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050835476381440.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-K9S38.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 eb294686c83604e89228b80a85ad5ece
SHA1 95a37b5df71d32236c41c649487b2e9d5fa942e6
SHA256 c9b6f746b9dc839e35459eeeb1df268b3139958b987c4db565b5a05d20f69743
SHA512 c0766692012d5e51bfbd27d012a804ff8ca43ef2fc4988eb7d844c99c22a2ba852b478acd87c50a2f08087e676239c7cdab8a58070664ae1345b8bfb11fbcc91

memory/2092-315-0x000001D3B4C30000-0x000001D3B4CB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 eb294686c83604e89228b80a85ad5ece
SHA1 95a37b5df71d32236c41c649487b2e9d5fa942e6
SHA256 c9b6f746b9dc839e35459eeeb1df268b3139958b987c4db565b5a05d20f69743
SHA512 c0766692012d5e51bfbd27d012a804ff8ca43ef2fc4988eb7d844c99c22a2ba852b478acd87c50a2f08087e676239c7cdab8a58070664ae1345b8bfb11fbcc91

memory/1928-303-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2092-316-0x000001D3CF050000-0x000001D3CF0B2000-memory.dmp

memory/2248-317-0x0000000006200000-0x0000000006232000-memory.dmp

memory/2248-318-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/2092-329-0x000001D3CF120000-0x000001D3CF17E000-memory.dmp

memory/2248-328-0x0000000006040000-0x000000000605E000-memory.dmp

memory/2248-330-0x0000000006F10000-0x0000000006FB3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A4UC7.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/2236-335-0x00007FF6868E0000-0x00007FF686E23000-memory.dmp

memory/3880-334-0x0000000006710000-0x0000000006C3C000-memory.dmp

memory/3364-337-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1156-332-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1440-338-0x0000000000B80000-0x00000000010CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NFN5N.tmp\cTCUrB00kd8ZSjLWyHCjVqq7.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/2092-344-0x00007FFCA3050000-0x00007FFCA3B11000-memory.dmp

memory/2248-350-0x0000000007080000-0x000000000709A000-memory.dmp

memory/2248-349-0x00000000076E0000-0x0000000007D5A000-memory.dmp

memory/2280-356-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2248-357-0x000000007FDC0000-0x000000007FDD0000-memory.dmp

memory/4776-358-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2248-359-0x00000000070F0000-0x00000000070FA000-memory.dmp

memory/2092-364-0x000001D3CF340000-0x000001D3CF350000-memory.dmp

memory/2248-366-0x0000000007310000-0x00000000073A6000-memory.dmp

memory/3632-370-0x0000000002D30000-0x0000000002EA1000-memory.dmp

memory/3632-371-0x0000000002EB0000-0x0000000002FE1000-memory.dmp

memory/2248-372-0x0000000007280000-0x0000000007291000-memory.dmp

memory/3880-374-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/2236-377-0x00007FF6868E0000-0x00007FF686E23000-memory.dmp

memory/5280-395-0x000002296A080000-0x000002296A0A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/6000-423-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\HIQZDCFEKY\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\is-PI781.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/3364-445-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97-ac81b-2a9-9f6b9-13a5b00e2c040\Kidaebutudo.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\is-V51PL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2280-455-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1928-456-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Local\Temp\is-PI781.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\4083482705.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\4083482705.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/2280-492-0x0000000000400000-0x000000000071C000-memory.dmp

memory/468-493-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/6000-497-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1156-498-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 01680204a1e96855f485d577407b747e
SHA1 a96d0a998a27771ea009f0756e0f42a44af4e0ab
SHA256 e6ae8929916e106cc84c0bf134c32c1fe0355c81429ff6231b479b8dd72bfa1e
SHA512 736852576f3c0a0d411833fd8adb92cd678a5ae6ab69243371856c1e775da248162406fa36dcc2355bbaaf809e3e5d30aede5c377abbba50bdef6f6f08fbd7df

memory/2236-520-0x00007FF6868E0000-0x00007FF686E23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\wFu4K4boQW6gz6P93JE49CMJ.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2236-529-0x00007FF6868E0000-0x00007FF686E23000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050835421\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

memory/6120-597-0x00007FF626110000-0x00007FF626653000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/6120-649-0x00007FF626110000-0x00007FF626653000-memory.dmp

memory/5232-654-0x0000000000BE0000-0x0000000000C00000-memory.dmp

memory/6120-655-0x00007FF626110000-0x00007FF626653000-memory.dmp

memory/5800-660-0x00007FF7EF890000-0x00007FF7EF8A3000-memory.dmp

memory/5232-661-0x00007FF6C3D70000-0x00007FF6C45B0000-memory.dmp