Malware Analysis Report

2025-01-02 08:21

Sample ID 231005-kgpnnabe79
Target 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74
SHA256 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74
Tags
amadey fabookie discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

Threat Level: Known bad

The file 7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74 was found to be: Known bad.

Malicious Activity Summary

amadey fabookie discovery evasion persistence spyware stealer trojan upx

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Amadey

Fabookie

Detect Fabookie payload

Windows security bypass

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

.NET Reactor proctector

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops startup file

Windows security modification

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies system certificate store

Enumerates system info in registry

Suspicious behavior: LoadsDriver

System policy modification

Kills process with taskkill

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 08:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 08:34

Reported

2023-10-05 08:37

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe = "0" C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sx5OCalZ6ywOA0NpoxOsK5d5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gq4SOlBWpat6CCs67gBtO7LP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WbRdx1RXtQWTTQxPkWmY1jXi.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqy3OBD81jgo9gl4khznMtgl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KQoYNvYdp7KLLUcpyWE3s1ZZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRMvOFKhiqnZIV7JyivsqLby.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I23pdhIdULve1E5aicZ1DEz6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dz6c7x0wZ7OcbL8fUWMEtEBR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cCWdwE8xEtp5wTtVzZ7EqdQ9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xFTYKUctm9oggtWRtjv5h7Dw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lpzr9GFp0mRAxcIiJen7XUzV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O6LSwX2twsyHWBRejkKyWjFj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRz5iUVv2FM0KAz04WnW7QmB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe N/A
N/A N/A C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe N/A
N/A N/A C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe N/A
N/A N/A C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe N/A
N/A N/A C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe N/A
N/A N/A C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe N/A
N/A N/A C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
N/A N/A C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe N/A
N/A N/A C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp N/A
N/A N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
N/A N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
N/A N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe = "0" C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId=" C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Hyfegaexaesha.exe\"" C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe.config C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\LightCleaner.exe C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-TK6B3.tmp C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-GVTCC.tmp C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Hyfegaexaesha.exe.config C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
File created C:\Program Files (x86)\LightCleaner\is-NI5VJ.tmp C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Hyfegaexaesha.exe C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
File opened for modification C:\Program Files (x86)\LightCleaner\CircularProgressBar.dll C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File opened for modification C:\Program Files (x86)\LightCleaner\VTRegScan.dll C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-OP8RR.tmp C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files (x86)\LightCleaner\is-QD9FB.tmp C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5088 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2628 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe
PID 2628 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe
PID 2628 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe
PID 2628 wrote to memory of 5112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe
PID 2628 wrote to memory of 5112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe
PID 2628 wrote to memory of 5112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe
PID 2628 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe
PID 2628 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe
PID 2628 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe
PID 2628 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe
PID 2628 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe
PID 2628 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe
PID 2628 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe
PID 2628 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe
PID 2628 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe
PID 2628 wrote to memory of 3624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe
PID 2628 wrote to memory of 3624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe
PID 2628 wrote to memory of 3624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe
PID 2628 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe
PID 2628 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe
PID 2628 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe
PID 2628 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe
PID 2628 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe
PID 2628 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe
PID 2628 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe
PID 2628 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe
PID 2628 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe
PID 2628 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 1832 wrote to memory of 1692 N/A C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1832 wrote to memory of 1692 N/A C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 1832 wrote to memory of 1692 N/A C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 3484 wrote to memory of 1432 N/A C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp
PID 3484 wrote to memory of 1432 N/A C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp
PID 3484 wrote to memory of 1432 N/A C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp
PID 1100 wrote to memory of 1552 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 1100 wrote to memory of 1552 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 1100 wrote to memory of 1552 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 2148 wrote to memory of 2344 N/A C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp
PID 2148 wrote to memory of 2344 N/A C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp
PID 2148 wrote to memory of 2344 N/A C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp
PID 1100 wrote to memory of 3904 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 1100 wrote to memory of 3904 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 1100 wrote to memory of 3904 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe
PID 1692 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2332 N/A C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe

"C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe

"C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe"

C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe

"C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe"

C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe

"C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe"

C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe

"C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe"

C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe

"C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe"

C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe

"C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe"

C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe

"C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe

"C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe"

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

"C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe" --silent --allusers=0

C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe

"C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2bc,0x2f0,0x6ed48538,0x6ed48548,0x6ed48554

C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp" /SL5="$9022A,5025136,832512,C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe

"C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe"

C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp" /SL5="$12022E,491750,408064,C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe" --version

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

"C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1100 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005083454" --session-guid=23390497-a18c-4909-841b-e3ee1d20212a --server-tracking-blob=ZDJkYWNjOGY3ZTMyYjgwNzQzYWI1MGY2NTBlMmZjNzAwMzczYmEwZjJkN2Y2NWJjNGQxZTJkZDBlOGExODY0Yjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjQ5NDg4NC43ODA2IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5MTA4YjZjZi01NDBkLTQyMmMtOWQ1Yy02MTQ0MjE4ZmNmNGQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1C05000000000000

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2f0,0x2f4,0x2bc,0x2f8,0x6d538538,0x6d538548,0x6d538554

C:\Users\Admin\AppData\Local\Temp\is-A0P5I.tmp\_isetup\_setup64.tmp

helper 105 0x444

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe

"C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe"

C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe

"C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp" /SL5="$6022C,833775,56832,C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x6fe8a0,0x6fe8b0,0x6fe8bc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2363587953.exe"

C:\Users\Admin\AppData\Local\Temp\2363587953.exe

"C:\Users\Admin\AppData\Local\Temp\2363587953.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 872 -ip 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1764

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "AwDGfEknzpJgF6TZwr7qENXG.exe" /f & erase "C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1508

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "AwDGfEknzpJgF6TZwr7qENXG.exe" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2144 -ip 2144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 5180

C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe

"C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe"

C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe

"C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 172.67.216.81:443 flyawayaero.net tcp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 goboh2b.top udp
US 188.114.96.0:443 jetpackdelivery.net tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
DE 168.119.140.62:443 d062.userscloud.net tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 104.21.32.208:443 lycheepanel.info tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 link.storjshare.io udp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.1:443 justsafepay.com tcp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 228.49.193.212.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
BG 193.42.32.29:80 193.42.32.29 tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.93:443 features.opera-api2.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 93.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.170.222:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 222.170.219.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
CA 129.153.49.67:7001 tcp
US 8.8.8.8:53 www.pedalsport.com udp
US 35.184.187.2:443 www.pedalsport.com tcp
US 8.8.8.8:53 67.49.153.129.in-addr.arpa udp
US 8.8.8.8:53 2.187.184.35.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 5.42.64.10:80 5.42.64.10 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
DE 116.202.7.149:27015 116.202.7.149 tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 149.7.202.116.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp

Files

memory/5088-0-0x0000000000EE0000-0x0000000000F28000-memory.dmp

memory/5088-1-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/5088-2-0x00000000059A0000-0x0000000005A3C000-memory.dmp

memory/5088-3-0x0000000006170000-0x0000000006714000-memory.dmp

memory/5088-4-0x0000000005CC0000-0x0000000005D52000-memory.dmp

memory/5088-5-0x0000000005B90000-0x0000000005BA0000-memory.dmp

memory/5088-6-0x00000000058A0000-0x00000000058AA000-memory.dmp

memory/5088-7-0x0000000005AC0000-0x0000000005AE8000-memory.dmp

memory/5088-8-0x0000000005B50000-0x0000000005B6A000-memory.dmp

memory/3080-9-0x0000000004C00000-0x0000000004C36000-memory.dmp

memory/3080-10-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/3080-12-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3080-11-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/2628-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3080-14-0x0000000005380000-0x00000000059A8000-memory.dmp

memory/5088-16-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/2628-17-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/2628-18-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/3080-19-0x0000000005200000-0x0000000005222000-memory.dmp

memory/3080-20-0x00000000052B0000-0x0000000005316000-memory.dmp

memory/3080-21-0x00000000059B0000-0x0000000005A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3vssg4b.t1g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3080-31-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

memory/3080-32-0x0000000006170000-0x000000000618E000-memory.dmp

memory/3080-33-0x0000000006240000-0x000000000628C000-memory.dmp

C:\Users\Admin\Pictures\pu0S0yDSd1nyqr4HoRztvHLK.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\nUlSFLtiqzJEHS07xcJAMOXw.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\AwDGfEknzpJgF6TZwr7qENXG.exe

MD5 48d0057e8cf7a96380dafd471618851b
SHA1 a0f357c1de69c52f31f0b13db4c4d9b82bba00e7
SHA256 54e325a72006f941def72ec6c2b3187c324dd4a9d65863e9264b83af340140df
SHA512 ac2822a21a3f52d091366f0ae8fe9087e7c19c3e200ff6717f6216587031fe2aa2a7ed7395bed9372d327a7d3982b6583e79e6d29a8832f702f00ae2827f7734

C:\Users\Admin\Pictures\KYYyJz0mA50EpyOudRxF2qDM.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\dd1Oa5wBujyxlpKMnSM5LAUf.exe

MD5 ffb1cc96c04308e8cf27d8c8251ee01a
SHA1 2b33aa254e10f473040b8d65b53862b2bea289c4
SHA256 a8dc0238b6272da428b85bba473b20ff20346d759204b8c689b1a8af3a24a9be
SHA512 fb0df2d1c3ba98b8ff681c00a22debfc2445f39d7acd6c532681f7ef2c21d8bdc7f30306d3486182f95697d671fae601c5eb4561056d930f851d4b69c816abc0

C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\rWUU6Q0N19glB7KQQwPO6teu.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

memory/3080-127-0x00000000745E0000-0x0000000074D90000-memory.dmp

C:\Users\Admin\Pictures\xGc5zCYMc55zX3zgKa0aQbaC.exe

MD5 b68feec717f5a72bbb97c92d76ba8ae2
SHA1 2a7f758345bb7029f711cc239ab11c9d97c5ce2e
SHA256 27d70a3460277e9b288d645f3b986bb9bb5da4ef171e8b5e0f673376d0e7a6be
SHA512 128b80c8e840f2ad0b375bb4de948a0325c3f0edc8bf3056d8b748667ae8dc91d8a7aeff7d8656edffc66ac81389ffcc952124e874470be22e9e473c0f6565fe

C:\Users\Admin\Pictures\y2F8nXb6VPjT8lpQDhnGskAG.exe

MD5 d88f367b41afa18635f0bfb34183116d
SHA1 9c5ed052125574db17b29db79e1288a2fb4cf645
SHA256 d8795171f1813169491e289f5997f267081a9df66145301f4c75b3d0c01dce3f
SHA512 8187c5f350eb23727544ed9f25f56dcf748f0a97c54b738226e88fdc86f38808768a436b1e3950e8a9774029c0ee1ac5945697488cd9cc9ec6e8a291cb81fa4b

C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3624-186-0x00000000745E0000-0x0000000074D90000-memory.dmp

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/3484-200-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1100-211-0x0000000000430000-0x000000000097D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834498811100.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2148-199-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2168-197-0x00007FF7A9290000-0x00007FF7A937C000-memory.dmp

C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\ggJMlDM4tfN5Y2UWS8GD6D0M.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/3624-193-0x0000000000030000-0x000000000034C000-memory.dmp

C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

C:\Users\Admin\Pictures\4Tnjwh8yOlrLZSnEFrx9t2mF.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/3484-174-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\eZkSfN3LWHbMWQUztOKp3vm1.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/2148-216-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3624-219-0x0000000004EA0000-0x0000000005062000-memory.dmp

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\is-N9GQR.tmp\4Tnjwh8yOlrLZSnEFrx9t2mF.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/3624-226-0x0000000005800000-0x0000000005810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834518961552.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3080-231-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/1432-232-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

memory/2344-249-0x0000000000670000-0x0000000000671000-memory.dmp

memory/3904-250-0x0000000000A90000-0x0000000000FDD000-memory.dmp

memory/2628-251-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/2628-248-0x00000000745E0000-0x0000000074D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834535683904.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3080-255-0x00000000071F0000-0x0000000007222000-memory.dmp

memory/3080-257-0x00000000701F0000-0x000000007023C000-memory.dmp

memory/3904-258-0x0000000000A90000-0x0000000000FDD000-memory.dmp

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

memory/3080-273-0x0000000007230000-0x00000000072D3000-memory.dmp

memory/3080-268-0x00000000067A0000-0x00000000067BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834546782332.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3080-280-0x0000000007BA0000-0x000000000821A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834551934312.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3080-284-0x0000000007520000-0x000000000753A000-memory.dmp

C:\Users\Admin\Pictures\4le2IRiT0Pe4IzqH9V6jmQPg.exe

MD5 84b09c4c203e160ea7644d117e67e4fc
SHA1 a58c7967c52f4f94aea763b222fbf43c483b2ee1
SHA256 74a6917324999c442422057e1f7cd47d78d647c07a2a27856fad196adb86b9da
SHA512 3c17edcac1e776c46556ded2a9ef3037f563d12178b1e59ed1ae245f75799510b2fc28ddd45181efa980876fb03cb8522358334535e3a6b206ae66bb06de41f0

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 aff66d1d37a614718c14ad96eaf8a507
SHA1 e7cc2af6786fb176aede5f13b02e3befad4ef8cc
SHA256 fef73d6f4583406a18c4255ba3b5b37870692b6a52ec196cb867f42d03d8af71
SHA512 95cdcf8171e5d9bffb3e11ecd9ebe61150d05dbb2fa86bda5a0610b1dbb6047787c7c561a3a7aeb2b9f4375f33b47fd60c7ff054915a10c39c1809e366025036

C:\Users\Admin\AppData\Local\Temp\is-A0P5I.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/3080-301-0x0000000007590000-0x000000000759A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 aff66d1d37a614718c14ad96eaf8a507
SHA1 e7cc2af6786fb176aede5f13b02e3befad4ef8cc
SHA256 fef73d6f4583406a18c4255ba3b5b37870692b6a52ec196cb867f42d03d8af71
SHA512 95cdcf8171e5d9bffb3e11ecd9ebe61150d05dbb2fa86bda5a0610b1dbb6047787c7c561a3a7aeb2b9f4375f33b47fd60c7ff054915a10c39c1809e366025036

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310050834535683904.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3484-306-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3912-307-0x00007FF6ED160000-0x00007FF6ED6A3000-memory.dmp

memory/2332-310-0x0000000000430000-0x000000000097D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\926387074340

MD5 c5383a173b4b624cdefbc967eb37937f
SHA1 adc36a7369941e2a39091b728da333686e9db204
SHA256 8089bdc89473e10f23b0ddc9f640989aed2889d7392f3a897f87b39752da2260
SHA512 4388a5907e58139cba7915971d5994b9bdaba3ed24ce502e2b1c7765a890ff2e1a332af5805240af88faae6a1e7f054ed9710afd9b5df4eec152822af43639b3

memory/4312-317-0x0000000000430000-0x000000000097D000-memory.dmp

memory/3080-311-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

memory/3080-322-0x00000000077C0000-0x0000000007856000-memory.dmp

memory/3080-227-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/1552-224-0x0000000000430000-0x000000000097D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 aa7390d161f5576bc97b5bdb9dcb7726
SHA1 98a7451d4687940e0dc121f38b8ca9cdf238412a
SHA256 afb071c78b08650ddf146eabd79476f1868e36201c5970fc5720d569cf774b4a
SHA512 5fdb8584731fb7ff497c7e285bb1fa2ce73475b2ef2c7e2c7c673edd2668e53615b058f722789d4a4648dd0612e336b3665fb4c1e36b2bcec45638c7aef12346

C:\Users\Admin\AppData\Local\Temp\is-GDLJ0.tmp\eZkSfN3LWHbMWQUztOKp3vm1.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-FJKH9.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/2148-341-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1552-344-0x0000000000430000-0x000000000097D000-memory.dmp

memory/2168-346-0x0000000002DB0000-0x0000000002EE1000-memory.dmp

memory/2344-345-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1432-343-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1564-348-0x00007FFE9D290000-0x00007FFE9DD51000-memory.dmp

memory/3624-349-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/2168-351-0x0000000002C30000-0x0000000002DA1000-memory.dmp

memory/3624-347-0x0000000006140000-0x000000000666C000-memory.dmp

memory/3912-353-0x00007FF6ED160000-0x00007FF6ED6A3000-memory.dmp

memory/1564-354-0x0000016E051A0000-0x0000016E05224000-memory.dmp

memory/3080-356-0x0000000007720000-0x0000000007731000-memory.dmp

memory/1432-358-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1564-360-0x0000016E1F580000-0x0000016E1F5E2000-memory.dmp

memory/1564-371-0x0000016E1F6B0000-0x0000016E1F70E000-memory.dmp

memory/3624-379-0x0000000005800000-0x0000000005810000-memory.dmp

memory/1564-380-0x0000016E1F5F0000-0x0000016E1F600000-memory.dmp

memory/3896-383-0x00007FFE9D290000-0x00007FFE9DD51000-memory.dmp

memory/3896-391-0x000001A92FAD0000-0x000001A92FAF2000-memory.dmp

memory/1432-408-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Program Files\Reference Assemblies\IRHCDTRAYQ\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/5816-440-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1432-454-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-TKMB1.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3484-473-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2344-479-0x0000000000400000-0x0000000000513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/2148-495-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96cb80a142b37ab4b3b6006fb9344bac
SHA1 cfb0d756fbad277e9c508cbea162cf16ea28bd8d
SHA256 bd23b440cad6871d9a49843083c3eba6dc50f464b627bb3b7515eecbfb7b7cd6
SHA512 d4a097fb09ac8170297a058667ff50df2250820734465d0043dd91c3c2c5b4f71af0f0c71331b0768e6874b59e8c027b0b89ad349a4c3f7461a9019ffaf96623

C:\Users\Admin\AppData\Local\Temp\is-SJDQI.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/5972-520-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5816-521-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 a6afa37e2815a1c90954f8a9ca53e15f
SHA1 d4beb8641071eba90f8ccc39b659604894d33ff5
SHA256 b7e5c11848825a1fa2a293204e0364374dde22e67f83c102b70fb7a69406d207
SHA512 f24fc5508b4c73445dec8f816aa6cf7f4633c960e83befb9133f18ec16e47b163c082c8a856d48c2ed4f8ec9c885201917ef68f3b8154ff04c1cf07531f9ece2

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\5bWeps8p7YE6IfutUxiLIMyW.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/3912-529-0x00007FF6ED160000-0x00007FF6ED6A3000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

memory/5140-563-0x00007FF7C3750000-0x00007FF7C3C93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\dbgcore.dll

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\dbgcore.DLL

MD5 15a2bc75539a13167028a3d2940bf40a
SHA1 1aed6d2855b26aa7a8fb06d690a89da3fc8eca86
SHA256 07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693
SHA512 141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\dbghelp.dll

MD5 2215b082f5128ab5e3f28219f9c4118a
SHA1 20c6e3294a5b8ebbebb55fc0e025afff33c3834d
SHA256 98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d
SHA512 3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310050834541\assistant\assistant_installer.exe

MD5 0d88834a56d914983a2fe03d6c8c7a83
SHA1 e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35
SHA256 e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53
SHA512 95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

memory/5140-635-0x00007FF7C3750000-0x00007FF7C3C93000-memory.dmp

memory/5892-640-0x0000000000FD0000-0x0000000000FF0000-memory.dmp

memory/5140-641-0x00007FF7C3750000-0x00007FF7C3C93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230915_061804628.html

MD5 ec2240137ee9b837da87e72d522038a3
SHA1 da505a07aa359917230e3a17f13146412f86343a
SHA256 8e14e88c8c60e72ff0c7bb96624103214d53a44696e87a87d681ce8976103a4f
SHA512 e6a3bb82cf33e5bfc4955d7c82a5ff20da8495a969714edbfe33ee3aadc97ded7979a119301f1b28582e0d42978aed7d92e9deccb4da31d5444edd3e695dc1f1

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml

MD5 c79d743dc754585c49ffc41a15c33c71
SHA1 15df899dde702aa45be8f2fdc936cc03cf3d3016
SHA256 5aa9e0d9f982ffa00c39ee9070a398e64f33959181ebfe9d2ee497f59ea10c12
SHA512 5ba9c252c91bce7d9e6dbdc64c513e4aa6a9938502ff4c08dcf47025e03625d933aedbc0ca55ad6145fc6f86a00740edfcf48c58902a843c75e98cdf1af487a6

C:\Users\Admin\AppData\Local\Temp\wct7366.tmp

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Temp\5f-04c17-b0d-c1e91-9ce4dbc521944\Jyxyxofehy.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590