Malware Analysis Report

2025-01-02 08:32

Sample ID 231005-kghv4shf7y
Target file
SHA256 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74
Tags
amadey fabookie xmrig discovery evasion miner persistence spyware stealer trojan upx danabot glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey fabookie xmrig discovery evasion miner persistence spyware stealer trojan upx danabot glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper loader

Danabot

Windows security bypass

Amadey

xmrig

Fabookie

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Vidar

Detect Fabookie payload

Glupteba

Modifies boot configuration data using bcdedit

XMRig Miner payload

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Stops running service(s)

Downloads MZ/PE file

Windows security modification

Loads dropped DLL

Drops startup file

Checks computer location settings

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

.NET Reactor proctector

Uses the VBS compiler for execution

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 08:34

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 08:34

Reported

2023-10-05 08:36

Platform

win10v2004-20230915-en

Max time kernel

34s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1112 created 2572 N/A C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe C:\Windows\Explorer.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LmgIXyociaDyhaibZvtulZJo.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDsmi8KpPeeGANcBx1Xwr4E9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azoucbLLIYqRg9IXKEgJwhmy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BeGrIGyKQ2dbxNhOoIDNWbVl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WauokMZFdjUsb7Hy556mmYRM.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MPyPGb3ofa92VteaPI1w3HXA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aesnwDDP8lXpcIsxGKexQCC3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZwCU7wk6B9VeEf59kXFTjAqj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tb74LQkvFaoycG6F2KQ9wu5o.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jGyaa9t2MzDv4GtlNdQEATyF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0x1oEcDreKpjiMCOzSFb7KZ3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GjCCO0VqX7tDKo41aSFg9hpZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Cu6s49Men2INBxWZFU1szxX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe N/A
N/A N/A C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe N/A
N/A N/A C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe N/A
N/A N/A C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe N/A
N/A N/A C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe N/A
N/A N/A C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe N/A
N/A N/A C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp N/A
N/A N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
N/A N/A C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe N/A
N/A N/A C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe N/A
N/A N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5B6RM.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
N/A N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AK2LF.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042051\\s6.exe" C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1752 set thread context of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1752 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 440 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe
PID 440 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe
PID 440 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe
PID 440 wrote to memory of 3952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe
PID 440 wrote to memory of 3952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe
PID 440 wrote to memory of 3952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe
PID 440 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe
PID 440 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe
PID 440 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe
PID 440 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe
PID 440 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe
PID 440 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe
PID 3800 wrote to memory of 3512 N/A C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3800 wrote to memory of 3512 N/A C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3800 wrote to memory of 3512 N/A C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 440 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe
PID 440 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe
PID 440 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe
PID 440 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe
PID 440 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe
PID 440 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe
PID 440 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe
PID 440 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe
PID 440 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe
PID 440 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe
PID 440 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe
PID 1780 wrote to memory of 4120 N/A C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp
PID 1780 wrote to memory of 4120 N/A C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp
PID 1780 wrote to memory of 4120 N/A C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp
PID 440 wrote to memory of 3076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 440 wrote to memory of 3076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 440 wrote to memory of 3076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 440 wrote to memory of 4448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe
PID 440 wrote to memory of 4448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe
PID 440 wrote to memory of 4448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe
PID 440 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe
PID 440 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe
PID 3076 wrote to memory of 5080 N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 3076 wrote to memory of 5080 N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 3076 wrote to memory of 5080 N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 3512 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 3736 N/A C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp
PID 1588 wrote to memory of 3736 N/A C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp
PID 1588 wrote to memory of 3736 N/A C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp
PID 3076 wrote to memory of 2512 N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 3076 wrote to memory of 2512 N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 3076 wrote to memory of 2512 N/A C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe
PID 3512 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp C:\Users\Admin\AppData\Local\Temp\is-5B6RM.tmp\_isetup\_setup64.tmp

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe

"C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe"

C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe

"C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe"

C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe

"C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe

"C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe

"C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe"

C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe

"C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe"

C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe

"C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe"

C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe

"C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe"

C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe

"C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe"

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

"C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp" /SL5="$60214,5025136,832512,C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6f3e8538,0x6f3e8548,0x6f3e8554

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp" /SL5="$401DA,491750,408064,C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe"

C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe

"C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe" --version

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\is-5B6RM.tmp\_isetup\_setup64.tmp

helper 105 0x444

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

"C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3076 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005083440" --session-guid=665dd29f-53a9-48f9-bad4-18d9a080e2db --server-tracking-blob=YTkxY2ZmM2Q1NjJjM2NlZmU3MTI3OWZhNmMwNTFjMWE5NGM4NzdhYzYyOTZmM2MyNzVjMjBmNWRjZjliYjc5NTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ5NDg2OC45NTc2IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4OTk5OTQ1OC04OTY5LTQ2MGQtOWE0ZC1kZWQzY2EzYzU0OTMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=EC04000000000000

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6d918538,0x6d918548,0x6d918554

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

"C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe"

C:\Users\Admin\AppData\Local\Temp\is-AK2LF.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-AK2LF.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1b-f8ac6-463-f04b3-080827c022e62\Lyvykeqyge.exe

"C:\Users\Admin\AppData\Local\Temp\1b-f8ac6-463-f04b3-080827c022e62\Lyvykeqyge.exe"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Program Files\Windows Portable Devices\CYGPBTRKZO\lightcleaner.exe

"C:\Program Files\Windows Portable Devices\CYGPBTRKZO\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\is-IESDT.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IESDT.tmp\lightcleaner.tmp" /SL5="$7026E,833775,56832,C:\Program Files\Windows Portable Devices\CYGPBTRKZO\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x248,0x270,0x274,0x26c,0x278,0x24e8a0,0x24e8b0,0x24e8bc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
US 85.217.144.143:80 85.217.144.143 tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 link.storjshare.io udp
US 172.67.216.81:443 flyawayaero.net tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
DE 168.119.140.62:443 d062.userscloud.net tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 8.8.8.8:53 potatogoose.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 172.67.180.173:443 potatogoose.com tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 228.49.193.212.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.112:443 features.opera-api2.com tcp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 188.114.96.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.171.78:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 78.171.219.52.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1752-1-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/1752-0-0x00000000004C0000-0x0000000000508000-memory.dmp

memory/1752-2-0x0000000004F80000-0x000000000501C000-memory.dmp

memory/1752-3-0x0000000005750000-0x0000000005CF4000-memory.dmp

memory/1752-4-0x00000000052A0000-0x0000000005332000-memory.dmp

memory/1752-5-0x0000000005110000-0x0000000005120000-memory.dmp

memory/1752-6-0x0000000004E80000-0x0000000004E8A000-memory.dmp

memory/1752-7-0x0000000005220000-0x0000000005248000-memory.dmp

memory/1752-8-0x0000000005280000-0x000000000529A000-memory.dmp

memory/440-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2084-11-0x0000000004840000-0x0000000004876000-memory.dmp

memory/1752-12-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/2084-13-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/2084-14-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/2084-17-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2084-16-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/440-15-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/440-18-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2084-19-0x0000000005670000-0x0000000005692000-memory.dmp

memory/2084-20-0x0000000005710000-0x0000000005776000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qekpbj4d.4w0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2084-23-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/2084-31-0x00000000059B0000-0x0000000005D04000-memory.dmp

memory/2084-45-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

memory/2084-70-0x0000000006050000-0x000000000609C000-memory.dmp

C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\MFbfCzqSHG6t0tBSxrN2Ea9A.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\KLccsei5yRKzNuLcwan25smB.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\DaZXfsgLyTcwqSLbDTTH406v.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\iDCs9xGiPqgVq7phzX1AwmBD.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/1780-97-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/4016-174-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/4016-158-0x00000000004C0000-0x00000000007DC000-memory.dmp

C:\Users\Admin\Pictures\19ldxFLtcYfUsvwAsGluBbma.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\jJUKrJHQSsibYQEHnUTglZ2c.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\RfITsihBnr04EUkMQKL6elQn.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\HpD0aeXwlAtf2RbiI6bnx6gp.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/1588-206-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3076-207-0x0000000000AB0000-0x0000000000FFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834356953076.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\wYAPgrHqL1SNjrIorgGkrcfw.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/4120-208-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2084-219-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\oLgzuOkfBIUGXs2rogG2xzvj.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/4016-199-0x0000000005340000-0x0000000005502000-memory.dmp

C:\Users\Admin\Pictures\xvReIRai3nPz0FJq0C2TWrSs.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834370235080.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/440-224-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/2084-227-0x00000000048B0000-0x00000000048C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JTEND.tmp\wYAPgrHqL1SNjrIorgGkrcfw.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/5080-228-0x0000000000AB0000-0x0000000000FFD000-memory.dmp

memory/2512-248-0x00000000007C0000-0x0000000000D0D000-memory.dmp

memory/2512-250-0x00000000007C0000-0x0000000000D0D000-memory.dmp

memory/2084-252-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/2752-253-0x00007FF6B7E80000-0x00007FF6B7F6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5B6RM.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/1780-255-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3736-256-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834386172512.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834386172512.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-AK2LF.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834411011964.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1964-268-0x0000000000AB0000-0x0000000000FFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L842G.tmp\RfITsihBnr04EUkMQKL6elQn.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\Pictures\e73mXWP0mNGAUDtqyWSzT0cc.exe

MD5 feb67552f2269bcd0fe1ccb8e005f0e5
SHA1 91165290fbf3dc14e3b5c5e2dcb668b1e6adaf85
SHA256 a0658a1b2419fdd27f55bf31a77ff7f91d966ed2b47b5692cf350a2ad6ae90b6
SHA512 354984d73f488f71063b0b3f41c34aa48fd69ed37597b4d0e4ef272fe4dc6cb2071263a4a415da46528b0b32303d9445d3744924da5d79c29da5f0f5bf73f059

memory/1112-272-0x00007FF602770000-0x00007FF602CB3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834419924764.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1588-282-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4764-286-0x0000000000AB0000-0x0000000000FFD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 5e504b2381f8ed4b64ce332b44caac31
SHA1 5d48b05aac6b198fc02aa3938629f87d2ce1b289
SHA256 bc6e67c4438e5688889f9e3a8c6143f1f766a97e049fb845476c079ed8d8d00e
SHA512 c34b9489068c3952523a61d97dedf8419c742a96dc25d79cadae20be5732ebaea996ed39850a551d08c63d621801785f1e42a68b6a37a85405f0215035644a88

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 5e504b2381f8ed4b64ce332b44caac31
SHA1 5d48b05aac6b198fc02aa3938629f87d2ce1b289
SHA256 bc6e67c4438e5688889f9e3a8c6143f1f766a97e049fb845476c079ed8d8d00e
SHA512 c34b9489068c3952523a61d97dedf8419c742a96dc25d79cadae20be5732ebaea996ed39850a551d08c63d621801785f1e42a68b6a37a85405f0215035644a88

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

memory/2084-298-0x000000007F570000-0x000000007F580000-memory.dmp

memory/2084-302-0x0000000006500000-0x0000000006532000-memory.dmp

memory/2084-305-0x00000000704D0000-0x000000007051C000-memory.dmp

memory/2084-317-0x00000000064E0000-0x00000000064FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\027552071446

MD5 c8ec12826fb447c9fb5b680bf5a32bfd
SHA1 503f95caa4ac4475eb444d1f05211d2cec01b45a
SHA256 cd2edee3543caad6ff952c2dcd6a41b763937306e36584989a49956d7e23950e
SHA512 00a38781c4059ec2657940cf6f7f1105386ed38e36b8a31ccb388ee0eb6ea85f3907fded8de8e911ee6c5a60d5984bd6dd327a747e270e396cb07bfa46cba51a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 9a6c17eda46f493e5e016d56ae832657
SHA1 59237414a752d2e9467057e90e650c127f5c0ff8
SHA256 135551090ac6ac3cad49d9001aef41ac2766fd3e38d33644185a3ae9d1104ccd
SHA512 c9fa3a62eeb8fa0388ab0f2c4e0d42551dadc4daef119c871651cc8606052570ddb25a4708a6e66a7b99fc92222e04397c358b11efcc3ef8980c56eb5c70b886

C:\Users\Admin\AppData\Local\Temp\is-AK2LF.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1112-357-0x00007FF602770000-0x00007FF602CB3000-memory.dmp

memory/4120-359-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3076-360-0x0000000000AB0000-0x0000000000FFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

memory/2084-366-0x00000000078E0000-0x0000000007F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042051\s6.exe

MD5 c02dfceb88e77fe8e56237b7dcdc94c4
SHA1 dbffea96b6105ef302424544714e82748bbb214b
SHA256 7c84dff6c0185a320ee5eaea1c53c75ee244754b3a5c3cc8643bf3eacd60af31
SHA512 bedd020c8fd75315c41a40d5ed12e5dd96b37e58727f0eeb484ca8fa4fb21b590d245b00eb99ff6e6f3ce7b551e1a78b0d91d867847d81671dc53fcf6411f556

C:\Users\Admin\AppData\Local\Temp\is-AK2LF.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2084-354-0x00000000071B0000-0x0000000007253000-memory.dmp

memory/2084-367-0x0000000007260000-0x000000000727A000-memory.dmp

memory/3736-369-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1964-370-0x0000000000AB0000-0x0000000000FFD000-memory.dmp

memory/748-368-0x000001C33C8D0000-0x000001C33C954000-memory.dmp

memory/748-375-0x000001C33CE40000-0x000001C33CEA2000-memory.dmp

memory/4120-374-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2084-377-0x00000000006D0000-0x00000000006DA000-memory.dmp

memory/748-378-0x000001C33E740000-0x000001C33E79E000-memory.dmp

memory/4016-380-0x0000000006560000-0x0000000006A8C000-memory.dmp

memory/2084-383-0x0000000007460000-0x00000000074F6000-memory.dmp

memory/748-385-0x00007FFF4DEC0000-0x00007FFF4E981000-memory.dmp

memory/2752-386-0x0000000002CA0000-0x0000000002E11000-memory.dmp

memory/2752-387-0x0000000002E20000-0x0000000002F51000-memory.dmp

memory/748-388-0x000001C33CE30000-0x000001C33CE40000-memory.dmp

memory/2084-389-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/4016-390-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/3760-401-0x0000029E21D00000-0x0000029E21D10000-memory.dmp

memory/4120-402-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3760-403-0x0000029E21D00000-0x0000029E21D10000-memory.dmp

memory/4016-404-0x0000000005040000-0x0000000005050000-memory.dmp

memory/3760-405-0x0000029E21E80000-0x0000029E21EA2000-memory.dmp

memory/3760-415-0x00007FFF4DEC0000-0x00007FFF4E981000-memory.dmp

memory/1780-416-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3760-420-0x0000029E21D00000-0x0000029E21D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/2084-424-0x0000000007400000-0x000000000740E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1b-f8ac6-463-f04b3-080827c022e62\Lyvykeqyge.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/1112-441-0x00007FF602770000-0x00007FF602CB3000-memory.dmp

C:\Program Files\Windows Portable Devices\CYGPBTRKZO\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\1b-f8ac6-463-f04b3-080827c022e62\Lyvykeqyge.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\1b-f8ac6-463-f04b3-080827c022e62\Lyvykeqyge.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\1b-f8ac6-463-f04b3-080827c022e62\Lyvykeqyge.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Windows Portable Devices\CYGPBTRKZO\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/5904-467-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\Windows Portable Devices\CYGPBTRKZO\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\is-IESDT.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-6C335.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3736-486-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d4e669c5f8a45f989edb350cf3a7b95
SHA1 293c58adf37f27bfff9b0f349db39b012a514b3d
SHA256 c3a2392305865eb07f185a1795a80c123312171e18a0ee06defe9a2c3767c8e2
SHA512 7143b3943e49b1beb198b4f587402fcabc0de140e2db5f466fd078af76595b3a1cda7c9c9381f692f99187e8b24a964bd5e5fd425d8ca93ecebd8b201190a397

memory/1588-494-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IESDT.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/6044-521-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5904-522-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\SAOWW3PUn42N6WSQVsX3ikfE.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1112-528-0x00007FF602770000-0x00007FF602CB3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834401\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/5772-609-0x00007FF7D7D70000-0x00007FF7D82B3000-memory.dmp

memory/5472-651-0x00000000006A0000-0x00000000006C0000-memory.dmp

memory/5772-652-0x00007FF7D7D70000-0x00007FF7D82B3000-memory.dmp

memory/5596-658-0x00007FF78C550000-0x00007FF78C563000-memory.dmp

memory/5472-659-0x00007FF67CB60000-0x00007FF67D3A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 08:34

Reported

2023-10-05 08:36

Platform

win7-20230831-en

Max time kernel

23s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HGQJHm3cInZy1j9daMxLAErb.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5DAoIKWfBJQG4PheDxx6CxX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phIXkuvhkK1KInL3ZrRadrB5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I3fnm7Dd2s1XmXMHMv6rxErx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aZgzbtirFgzg1SRIHIdx7fL1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fAnGvVYXmr4lj1VcKxIFmXZC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1AXjLLXIrkZoxVjcDjXOY0F.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vBTZGygm2PpdkZiUvBXByQ9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zZcMMSfsCpKHODKgh9J7PIZ5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbnLZo1i3vW4hNZUmHtWmLsw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K8yEC4Z7s0W048yq1jrStbYX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 924 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 924 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 924 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2672 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe
PID 2672 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe
PID 2672 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe
PID 2672 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe
PID 1856 wrote to memory of 824 N/A C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1856 wrote to memory of 824 N/A C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1856 wrote to memory of 824 N/A C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1856 wrote to memory of 824 N/A C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2672 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe
PID 2672 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe
PID 2672 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe
PID 2672 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe
PID 2672 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe
PID 2672 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe
PID 2672 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe
PID 2672 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe
PID 2672 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe
PID 2672 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe
PID 2672 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe
PID 2672 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe
PID 2672 wrote to memory of 1728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe
PID 2672 wrote to memory of 1728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe
PID 2672 wrote to memory of 1728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe
PID 2672 wrote to memory of 1728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe
PID 2672 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe
PID 2672 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe
PID 2672 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe
PID 2672 wrote to memory of 2876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe
PID 824 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 2672 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe
PID 824 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe

"C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe

"C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe"

C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe

"C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe"

C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe

"C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe" --silent --allusers=0

C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe

"C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

"C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe"

C:\Users\Admin\Pictures\4Lqbaj4YR3sWvhmcJ1u0dhj9.exe

"C:\Users\Admin\Pictures\4Lqbaj4YR3sWvhmcJ1u0dhj9.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe

"C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe"

C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe

"C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe"

C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

"C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-RCM9E.tmp\FwluabbDaeMpfgVhK7m7PXqF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RCM9E.tmp\FwluabbDaeMpfgVhK7m7PXqF.tmp" /SL5="$201B8,491750,408064,C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8447885564.exe"

C:\Users\Admin\AppData\Local\Temp\8447885564.exe

"C:\Users\Admin\AppData\Local\Temp\8447885564.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {ED9CF3EE-59A6-4225-BED1-8C55DE4AAC3E} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "DaGR4Uxq9gSHb12Sj5N8TlmA.exe" /f & erase "C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "DaGR4Uxq9gSHb12Sj5N8TlmA.exe" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Program Files\DVD Maker\SKBJTVQHAH\lightcleaner.exe

"C:\Program Files\DVD Maker\SKBJTVQHAH\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\8e-fd121-192-bcf94-36eaa3f06daa0\Nuhokytine.exe

"C:\Users\Admin\AppData\Local\Temp\8e-fd121-192-bcf94-36eaa3f06daa0\Nuhokytine.exe"

C:\Users\Admin\AppData\Local\Temp\is-5JLR5.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5JLR5.tmp\lightcleaner.tmp" /SL5="$D01C6,833775,56832,C:\Program Files\DVD Maker\SKBJTVQHAH\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 384

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005083517.log C:\Windows\Logs\CBS\CbsPersist_20231005083517.cab

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\8447885564.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

"C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe"

C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

"C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 104.21.93.225:443 flyawayaero.net tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 lycheepanel.info udp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 net.geo.opera.com udp
RU 212.193.49.228:80 goboh2b.top tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 85.217.144.143:80 85.217.144.143 tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 13.227.219.83:443 downloads.digitalpulsedata.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.1:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 172.67.222.167:443 m7val1dat0r.info tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 8.8.8.8:53 script.google.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
DE 78.47.27.247:80 78.47.27.247 tcp
NL 142.251.36.1:443 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
DE 3.5.138.107:443 wewewe.s3.eu-central-1.amazonaws.com tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 a4a2f59b-2cf3-4512-8e2c-20b1393590de.uuid.myfastfoodguru.com udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server2.myfastfoodguru.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.50:443 server2.myfastfoodguru.com tcp
US 74.125.128.127:19302 stun.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp

Files

memory/924-0-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/924-1-0x0000000000330000-0x0000000000378000-memory.dmp

memory/924-2-0x0000000004DC0000-0x0000000004E00000-memory.dmp

memory/924-3-0x0000000000530000-0x0000000000558000-memory.dmp

memory/924-4-0x00000000004C0000-0x00000000004DA000-memory.dmp

memory/2672-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2672-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2672-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2672-12-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/924-13-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2672-14-0x0000000004DE0000-0x0000000004E20000-memory.dmp

memory/2736-15-0x000000006F880000-0x000000006FE2B000-memory.dmp

memory/2736-16-0x000000006F880000-0x000000006FE2B000-memory.dmp

memory/2736-17-0x0000000002420000-0x0000000002460000-memory.dmp

memory/2736-18-0x0000000002420000-0x0000000002460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC0D1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarC19F.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 354ac4670156a7278a1e02ef59a76830
SHA1 e6cd2857d15cb8c0abb7b125f1c828d62d27b554
SHA256 35f32cf8b3bbb413b866fd63cc15d444d4cc8344c9946801806d811f645493c0
SHA512 e201931e2cd68b6727bfca7db5947ab2774dbd36018a966641ed89bd27ff153dfa1ef3fb423d1973734a14d3e9d56df68aac8892364b22d500f49ebe884022df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 354ac4670156a7278a1e02ef59a76830
SHA1 e6cd2857d15cb8c0abb7b125f1c828d62d27b554
SHA256 35f32cf8b3bbb413b866fd63cc15d444d4cc8344c9946801806d811f645493c0
SHA512 e201931e2cd68b6727bfca7db5947ab2774dbd36018a966641ed89bd27ff153dfa1ef3fb423d1973734a14d3e9d56df68aac8892364b22d500f49ebe884022df

C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\yit2tN3xMPe86OmSVI2KJppc.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

memory/2672-217-0x0000000074560000-0x0000000074C4E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2672-243-0x0000000004DE0000-0x0000000004E20000-memory.dmp

C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

memory/2736-253-0x000000006F880000-0x000000006FE2B000-memory.dmp

memory/1728-252-0x0000000000C50000-0x0000000000F6C000-memory.dmp

\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe

MD5 b4ab485bf5327dcca49da435012e322f
SHA1 eeb8fb5cdd1a22edc4dcd3bf9de74bdd26c1f8b0
SHA256 c6de4a07037f1563d189925f26713ed34d052ce32143511c1f88b41db3f6f32c
SHA512 ba5361f61ebbe9644696581e4247335ca1a17bda2bfdd7ddf66a809d68e58e6e0dc10bcc167af119401d72269d826f9df639a4f51f2753041737c774f2a67190

memory/1728-261-0x0000000074560000-0x0000000074C4E000-memory.dmp

C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe

MD5 b4ab485bf5327dcca49da435012e322f
SHA1 eeb8fb5cdd1a22edc4dcd3bf9de74bdd26c1f8b0
SHA256 c6de4a07037f1563d189925f26713ed34d052ce32143511c1f88b41db3f6f32c
SHA512 ba5361f61ebbe9644696581e4247335ca1a17bda2bfdd7ddf66a809d68e58e6e0dc10bcc167af119401d72269d826f9df639a4f51f2753041737c774f2a67190

C:\Users\Admin\Pictures\n74btJDL7B1ZG1YPoibClFWu.exe

MD5 b4ab485bf5327dcca49da435012e322f
SHA1 eeb8fb5cdd1a22edc4dcd3bf9de74bdd26c1f8b0
SHA256 c6de4a07037f1563d189925f26713ed34d052ce32143511c1f88b41db3f6f32c
SHA512 ba5361f61ebbe9644696581e4247335ca1a17bda2bfdd7ddf66a809d68e58e6e0dc10bcc167af119401d72269d826f9df639a4f51f2753041737c774f2a67190

memory/2148-267-0x0000000000970000-0x0000000000EBD000-memory.dmp

memory/2736-254-0x000000006F880000-0x000000006FE2B000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834356112148.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1564-283-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/2672-278-0x000000000A3C0000-0x000000000A90D000-memory.dmp

\Users\Admin\Pictures\FwluabbDaeMpfgVhK7m7PXqF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\Opera_installer_2310050834375302148.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

\Users\Admin\Pictures\4Lqbaj4YR3sWvhmcJ1u0dhj9.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

\Users\Admin\Pictures\1z3I1FwRWcTRNco4H2qoGYqP.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\6FDowSruIWtc4OjY4zFD1cNV.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/1624-237-0x00000000028F0000-0x0000000002CE8000-memory.dmp

C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\4Lqbaj4YR3sWvhmcJ1u0dhj9.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/1068-307-0x0000000002950000-0x0000000002D48000-memory.dmp

C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/2616-308-0x00000000FF180000-0x00000000FF26C000-memory.dmp

\Users\Admin\Pictures\4Lqbaj4YR3sWvhmcJ1u0dhj9.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\4Lqbaj4YR3sWvhmcJ1u0dhj9.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\AppData\Local\Temp\is-RCM9E.tmp\FwluabbDaeMpfgVhK7m7PXqF.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

\Users\Admin\AppData\Local\Temp\is-RCM9E.tmp\FwluabbDaeMpfgVhK7m7PXqF.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/2496-313-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1580-324-0x000000013FFB0000-0x00000001404F3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17a339826a6cfc5c4cb0efa47e0b84ef
SHA1 197f49564c05abe2fe75d0c4a4f60fa539558b41
SHA256 7c98ccfa25e4e65802f751de8855a707b5a07761e7532a96f944dffb2fa95d78
SHA512 558539fc892e6331308e4e8dbf96667086c2a699ab9ce613c35d11f27dd851430d7742c79036261e1726f6cf372ac618b9b5e07fe0ee2fdd335f3473f9b21fe6

C:\Users\Admin\AppData\Local\Temp\185155662718

MD5 9f33b9f78f867893a56ad2cde994e3e3
SHA1 499bc9400d7b6e475bd925b03c48fabd9b720cbd
SHA256 87b1def888e8e93b5552b79762e2d3418f80ae309ea1f6ce151393e17e0c3009
SHA512 46c654d5d5b4df77f096892f74c05f3426973bdddbdc1ee0aaf78b50a3b744085565ac8afd3d16a29294b764851a295c63c82967859116fa8878f7fed62a38f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2af2c855f2e463e02e3aa776c46baad3
SHA1 58ff043a51cf6a278b14a626e7822c0873865c0e
SHA256 fe84c8b4f37917503fc5d05f2e78f0b72b56c1b71b9c43176f6038205e365df9
SHA512 d98b92fdf5187335f66dad2013cd1ec78ff0c0044fe5a2e06a68b494de2d00a43e41cba4af476b40f6d9c9ca7a14823f0e21312f5f043bc2c7fe65d5f2299db2

memory/1728-356-0x0000000074560000-0x0000000074C4E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 8d3cc5b2fc27d3ea17d4a39352f89198
SHA1 1f570e38cffde298393ac42d589e05d93a5285c5
SHA256 a04e5b192b808a585a0b0b7e7f091e4d6ff9def7639910a8f0e614d3a545018c
SHA512 d9f8d068e66ddf043a0be10d636a5eeb72f76694284379fb6e8f186bb10bcecc3d4eef4a7147cfcf89a35379f1264be21df4022b9a3a507685a6ad86e17e9078

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1a0a02ce3f898b5a4304f59a5ed583a
SHA1 b08011a407b2a4258f14ffc3bb4b5525e8e0b461
SHA256 9ca1721d3a97adc04886598ef3c56a8a409304b3a3b99d1b8cd68472fe80a288
SHA512 ea08c27a813df4778493f7cdb4abbf3bbb6f439ae1777e97be0f829454bb314fd9728937952f7c9976a81f73e93a9e77621b088c61dafc603584972bfe931480

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bb2f544dd566e1e4ea6d37426bab952
SHA1 e2995acc890ef3a0dfc623c0ce26d6cd6c160998
SHA256 f1136c77152391a775133dd4c9d4c8433bb387ffa878bca4229a8b5cf20e0d4e
SHA512 f37ba3fa7d2db9df6bc9d6fe11fe74d4e77f0a8ab743105e43523caf791c162697422af3dc2181c4d5b6330be514626e5f37a56c011555c0709f4a142b74e621

memory/1564-398-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2672-400-0x000000000A3C0000-0x000000000A90D000-memory.dmp

memory/1728-401-0x0000000005B40000-0x0000000005B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-ED5F3.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bb2f544dd566e1e4ea6d37426bab952
SHA1 e2995acc890ef3a0dfc623c0ce26d6cd6c160998
SHA256 f1136c77152391a775133dd4c9d4c8433bb387ffa878bca4229a8b5cf20e0d4e
SHA512 f37ba3fa7d2db9df6bc9d6fe11fe74d4e77f0a8ab743105e43523caf791c162697422af3dc2181c4d5b6330be514626e5f37a56c011555c0709f4a142b74e621

memory/1672-414-0x0000000000380000-0x0000000000404000-memory.dmp

memory/1672-424-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

memory/1672-425-0x00000000002C0000-0x0000000000322000-memory.dmp

memory/1728-427-0x0000000005B40000-0x0000000005B80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MX8JXWIYAFJLYCPLI8JH.temp

MD5 2ce3df00c179cab69d0c7a2d60306781
SHA1 faa14b46f70070abc5b9f068aefe442ce4834784
SHA256 8b71d7972c5f478cdfd1baee568c2813cd9f5c8fba1f7e891984bfcecd4fb340
SHA512 921e1487ae1d963a5b62c11ae37d56aec96ae2941e88b52451e3ab909c474f290891da85c09776e3c5fa9924489a678347c5857ac8c63ff283e75bbd68d0977c

memory/2180-432-0x000000001B220000-0x000000001B502000-memory.dmp

memory/2180-433-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2180-434-0x000007FEF37C0000-0x000007FEF415D000-memory.dmp

memory/2180-435-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2180-436-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2496-437-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2180-438-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2180-439-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2180-440-0x000007FEF37C0000-0x000007FEF415D000-memory.dmp

memory/1672-441-0x0000000002300000-0x000000000235E000-memory.dmp

memory/2180-442-0x000007FEF37C0000-0x000007FEF415D000-memory.dmp

memory/2496-443-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1220-444-0x0000000000650000-0x0000000000750000-memory.dmp

memory/1220-445-0x00000000002C0000-0x00000000002FE000-memory.dmp

memory/1220-446-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/1580-451-0x000000013FFB0000-0x00000001404F3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\9QozS80bxFzCTZHyV59uQdov.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1580-454-0x000000013FFB0000-0x00000001404F3000-memory.dmp

memory/1728-455-0x0000000005B40000-0x0000000005B80000-memory.dmp

memory/2876-456-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2876-457-0x0000000000290000-0x00000000002E1000-memory.dmp

memory/2876-458-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1672-460-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

memory/1220-450-0x0000000000400000-0x00000000005B9000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1728-465-0x0000000005B40000-0x0000000005B80000-memory.dmp

memory/1672-469-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/2148-470-0x0000000000970000-0x0000000000EBD000-memory.dmp

memory/2616-472-0x0000000003230000-0x00000000033A1000-memory.dmp

memory/2616-473-0x0000000002DD0000-0x0000000002F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8447885564.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\8447885564.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

C:\Users\Admin\AppData\Local\Temp\8447885564.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

\Users\Admin\AppData\Local\Temp\8447885564.exe

MD5 a7d77fc1a1794b646deb45ae5530b4e0
SHA1 49f6b846739d81a687f4378b4194f6e21c114f88
SHA256 888af4c53350a2be69181d573583ce047e1b49bc9bfb4b2d8cf4b870a0e68535
SHA512 78ae752ce74d544f02b1122e504992ca54072a1f6104f130be8888dacc94617b48283a54e1a969a2dc54743414d6a369bd4fa33c04487267663d7f8d9736c84a

memory/2088-478-0x0000000002370000-0x00000000027D4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc4c27e12a1a4c9355f9b57cb263388a
SHA1 e2b5a42e9c8cb5020b392e8e22e4cf26deae2423
SHA256 78338008d4dc0a3018ec9215aaeadcc53adc441e5b41d2af4122be000a6a1906
SHA512 ae7e6114ab6adf01653c11755b485036bc617cbbeb7fd97790c90db14625e8f950ff40665ff287f501e0cd40a7325557393135ab243ed9f41e2168f50ad3ab0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbb6c33768131a44afeff9c8695173be
SHA1 bc3052e32dbf4bf667ebe5f0e0b77a8321c3f248
SHA256 724799f3e83486bea3232fe436327b0372fa28549303cc698740a5b59db2b08d
SHA512 da4e44cdaf5673a7db22485910f0c78dd25ff65dfc1e42297a27b360ea63ed3e3ae1f06013f2dc96c956b64cbf62f6c33155648f4b2e3981b1b965e48886eb86

memory/1220-549-0x0000000000650000-0x0000000000750000-memory.dmp

memory/1220-550-0x00000000002C0000-0x00000000002FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/2876-552-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1220-556-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2876-557-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/2876-558-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\Pictures\DaGR4Uxq9gSHb12Sj5N8TlmA.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

memory/2020-560-0x000000013F6C0000-0x000000013FC03000-memory.dmp

memory/1624-561-0x00000000028F0000-0x0000000002CE8000-memory.dmp

memory/1624-562-0x0000000002CF0000-0x00000000035DB000-memory.dmp

memory/2616-564-0x0000000002DD0000-0x0000000002F01000-memory.dmp

memory/1068-565-0x0000000002950000-0x0000000002D48000-memory.dmp

memory/1624-566-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1068-567-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/1068-568-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/1068-569-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2088-570-0x0000000002370000-0x00000000027D4000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Pictures\jNOBSkYkcahCLlI2QimWMq7u.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\NKiIFq8krWGLm291I9ajQ0og.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0af64e10b800acdfda0ff5f422a6bb1e
SHA1 5b340f405b401b0ed437ab20321537f60f854c67
SHA256 19ba0983bc9e5ce97b144cb9e093e5fda655bb0889b0948ef0ff43fb9a5d36cc
SHA512 813c646ddb1625cb083a87d2883c17d52fb340349091d31d350148014e317341b9c6755bce41e43c6bee3b5aafa1addebe6d0a875e87bdf0dbdedc0ef274a26c

memory/1624-688-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2876-710-0x0000000000400000-0x00000000005C2000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2020-745-0x000000013F6C0000-0x000000013FC03000-memory.dmp

memory/1632-766-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DIDD6.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H

MD5 678964d1833ba2ec59f947d765fcff06
SHA1 6fc1fb7ba7ba95ebf622789ba9a86b4b6784ff56
SHA256 f4262ba03dc0185f82009bff3fbe87f161e79eb5c900bd06b24b2588db88676e
SHA512 35a1df5961bcd633ebdb7912003650d714a9f038ab8d82eec79f31da9da0768d9c915bc07406d9f3b3ffab4be56790567878eaebd8930378bf7cc683200cb0ce

memory/2496-853-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1564-864-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7589.txt

MD5 33d0c6f1c60d6f91ab187887528031c9
SHA1 edd0817507d0ab84ea4049b47767daa18262af0f
SHA256 d5aa6a6f71be8b33180a7a2966f7b12569d7e574c648d96546b0876a20647de4
SHA512 7fded3944b8db817ba461a82d885338752fd5ea734a8c331cca999678c4aef9574b1038706d46e29569f6f43d4601350f8735745e41d2508f4aefba13bea1610

memory/1068-868-0x0000000000400000-0x0000000000D62000-memory.dmp

memory/2088-875-0x0000000000400000-0x0000000000A00000-memory.dmp

memory/2876-881-0x0000000000400000-0x00000000005C2000-memory.dmp

memory/1632-902-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2832-900-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2088-903-0x00000000036D0000-0x0000000003EC2000-memory.dmp

memory/2088-906-0x0000000004100000-0x0000000004240000-memory.dmp

memory/2088-905-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2088-908-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2088-907-0x0000000004100000-0x0000000004240000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09