Malware Analysis Report

2025-01-02 09:18

Sample ID 231005-v2k63sdb6t
Target 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe
SHA256 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
Tags
amadey fabookie evasion spyware stealer trojan upx danabot glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23

Threat Level: Known bad

The file 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey fabookie evasion spyware stealer trojan upx danabot glupteba vidar 4841d6b1839c4fa7c20ecc420b82b347 banker dropper loader

Glupteba payload

Danabot

Detect Fabookie payload

Glupteba

Vidar

Amadey

Fabookie

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Stops running service(s)

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

UPX packed file

.NET Reactor proctector

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 17:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 17:29

Reported

2023-10-05 17:31

Platform

win10v2004-20230915-en

Max time kernel

53s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DhkjOJs5nmUBJ7QPuAeHjc7f.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uD8mbi9figslHPyKazgE6gw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bjHodCT2MfAdjPKeTnJKMInw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgqtNCgerVW3T0V97SPWxq4n.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VhvwbDvkV3lMNvYechyS3jjc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cPBOhV5qVphLB9wAL9jOFU2h.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xLSW7aSMzQYOYvMXXO3al2hq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14hTVI7E7d7qxtyUarx3gQY9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YmoHackQJtOlmYvxJB9EVfPy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UFHoRz639pkAVV6B5QXNFkL0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NlgIJGHrVJv1PQTkSCVmUBad.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9iKNpzbKLAbBs2TK90njAzyC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u6zs52UPZ42YSqY65pe0T42R.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3772 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3772 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3772 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
PID 3772 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3772 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3352 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe
PID 3352 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe
PID 3352 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe
PID 3352 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 3352 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 3352 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 3352 wrote to memory of 5116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe
PID 3352 wrote to memory of 5116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe
PID 3352 wrote to memory of 5116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe
PID 3352 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe
PID 3352 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe
PID 3352 wrote to memory of 5044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe
PID 3352 wrote to memory of 4800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe
PID 3352 wrote to memory of 4800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe
PID 3352 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe
PID 3352 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe
PID 3352 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe
PID 3352 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe
PID 3352 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe
PID 3352 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe
PID 3352 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe
PID 3352 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe
PID 3352 wrote to memory of 3380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe
PID 3352 wrote to memory of 3380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe
PID 3352 wrote to memory of 3380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe
PID 3352 wrote to memory of 3408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe
PID 3352 wrote to memory of 3408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe
PID 3352 wrote to memory of 3408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe
PID 3352 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe
PID 3352 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe
PID 3352 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe
PID 2140 wrote to memory of 4708 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 2140 wrote to memory of 4708 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 2140 wrote to memory of 4708 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 3380 wrote to memory of 1448 N/A C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe C:\Users\Admin\AppData\Local\Temp\is-680G6.tmp\SbEbWO3ozUXlczeTvPfQZLxu.tmp
PID 3380 wrote to memory of 1448 N/A C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe C:\Users\Admin\AppData\Local\Temp\is-680G6.tmp\SbEbWO3ozUXlczeTvPfQZLxu.tmp
PID 3380 wrote to memory of 1448 N/A C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe C:\Users\Admin\AppData\Local\Temp\is-680G6.tmp\SbEbWO3ozUXlczeTvPfQZLxu.tmp
PID 1676 wrote to memory of 1464 N/A C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp
PID 1676 wrote to memory of 1464 N/A C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp
PID 1676 wrote to memory of 1464 N/A C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp
PID 2140 wrote to memory of 1660 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Windows\System32\Conhost.exe
PID 2140 wrote to memory of 1660 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Windows\System32\Conhost.exe
PID 2140 wrote to memory of 1660 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Windows\System32\Conhost.exe
PID 2140 wrote to memory of 4820 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 2140 wrote to memory of 4820 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 2140 wrote to memory of 4820 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 4820 wrote to memory of 4540 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 4820 wrote to memory of 4540 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe
PID 4820 wrote to memory of 4540 N/A C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe

"C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe"

C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe

"C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe"

C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe

"C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe"

C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe

"C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe"

C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe

"C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe"

C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe

"C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe"

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

"C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe" --silent --allusers=0

C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe

"C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe"

C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe

"C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe"

C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe

"C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe"

C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe

"C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\is-680G6.tmp\SbEbWO3ozUXlczeTvPfQZLxu.tmp

"C:\Users\Admin\AppData\Local\Temp\is-680G6.tmp\SbEbWO3ozUXlczeTvPfQZLxu.tmp" /SL5="$601C0,491750,408064,C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe"

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x2f4,0x6f738538,0x6f738548,0x6f738554

C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp" /SL5="$500F4,5025136,832512,C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tqXBxgO2WGvihHFjRpCOhDUr.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tqXBxgO2WGvihHFjRpCOhDUr.exe" --version

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

"C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2140 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231005173004" --session-guid=7ad73534-3166-48e2-9c92-67732e4737aa --server-tracking-blob=MTc5MzhjMDhiNDg2MTc4ZDI5YzhmMzg0MzMyMTdmYjRjMzgwYjE2NWNhM2YzMzJkYmI2ODBhNDdiYzU3OTI2MTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjUyNjk4OS4zNjkzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjZTY4MjhmMi03YThiLTRkMTUtYjJjOC1hOWZmZjIxYjg5YTEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e0,0x2e4,0x2f4,0x2bc,0x2f8,0x6df88538,0x6df88548,0x6df88554

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\AppData\Local\Temp\is-BQBAT.tmp\_isetup\_setup64.tmp

helper 105 0x448

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\is-IPCC3.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-IPCC3.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Program Files\Windows Multimedia Platform\QQSQFBMDWV\lightcleaner.exe

"C:\Program Files\Windows Multimedia Platform\QQSQFBMDWV\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\5b-612f3-640-8d8bb-ef6b17907078d\Nygivuhyxa.exe

"C:\Users\Admin\AppData\Local\Temp\5b-612f3-640-8d8bb-ef6b17907078d\Nygivuhyxa.exe"

C:\Users\Admin\AppData\Local\Temp\is-I079R.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-I079R.tmp\lightcleaner.tmp" /SL5="$3024E,833775,56832,C:\Program Files\Windows Multimedia Platform\QQSQFBMDWV\lightcleaner.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x241588,0x241598,0x2415a4

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 d062.userscloud.net udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 172.67.187.122:443 lycheepanel.info tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 goboh2b.top udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 172.67.216.81:443 flyawayaero.net tcp
NL 13.227.219.83:443 downloads.digitalpulsedata.com tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.0:443 justsafepay.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 85.217.144.143:80 85.217.144.143 tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 link.storjshare.io udp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 8.8.8.8:53 83.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 228.49.193.212.in-addr.arpa udp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.122:443 download.opera.com tcp
NL 185.26.182.94:443 features.opera-api2.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 94.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
BG 193.42.32.29:80 193.42.32.29 tcp
BG 193.42.32.29:80 193.42.32.29 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 29.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
DE 52.219.168.165:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 165.168.219.52.in-addr.arpa udp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

memory/3772-0-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3772-1-0x0000000000D40000-0x0000000000D9E000-memory.dmp

memory/3772-2-0x0000000005810000-0x00000000058AC000-memory.dmp

memory/3772-3-0x0000000005FE0000-0x0000000006584000-memory.dmp

memory/3772-4-0x0000000005B30000-0x0000000005BC2000-memory.dmp

memory/3772-5-0x00000000059D0000-0x00000000059E0000-memory.dmp

memory/3772-6-0x0000000005710000-0x000000000571A000-memory.dmp

memory/3772-7-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3772-8-0x00000000059E0000-0x0000000005A24000-memory.dmp

memory/3772-9-0x0000000005DE0000-0x0000000005DFA000-memory.dmp

memory/3352-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3352-12-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3352-13-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/3772-14-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3352-54-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3352-55-0x00000000056C0000-0x00000000056D0000-memory.dmp

C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\oBXC6bb3X01xcA4evPXWzvBr.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\6w4CPjfLKCYiGxT7QB78znRe.exe

MD5 dde72ae232dc63298465861482d7bb93
SHA1 557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
SHA256 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
SHA512 389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

C:\Users\Admin\Pictures\PmAkVp78NQjAwbjD8Pj23oLv.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2140-157-0x0000000000FE0000-0x000000000152D000-memory.dmp

C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

C:\Users\Admin\Pictures\stnLYYITA0c8eRmG3QmwgOBR.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310051729548622140.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/3380-175-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\kr5hHwzSfZuxeDy6Iusvarea.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\tlATYX2t3QbqTxt3i3oMjFvp.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\c6GG6W4laO5US5Cvzqm5kvl7.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\dz4YNI2exWEbUJ7rkAO022dB.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

C:\Users\Admin\Pictures\3QBTE6dAJaQT2gMdJG40NE0S.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\SbEbWO3ozUXlczeTvPfQZLxu.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/4800-179-0x00007FF7F2130000-0x00007FF7F221C000-memory.dmp

memory/1676-180-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5116-184-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1676-188-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\1MjyNNrooKx0UqPnYWZAMlxp.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/5116-189-0x0000000000100000-0x000000000041C000-memory.dmp

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

C:\Users\Admin\AppData\Local\Temp\is-680G6.tmp\SbEbWO3ozUXlczeTvPfQZLxu.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310051730007844708.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

memory/5116-204-0x0000000004F70000-0x0000000005132000-memory.dmp

memory/1464-206-0x0000000000900000-0x0000000000901000-memory.dmp

memory/5116-212-0x0000000004E40000-0x0000000004EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

memory/1660-216-0x0000000000D10000-0x000000000125D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310051730027211660.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/5116-221-0x00000000058A0000-0x00000000058B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310051730027211660.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1448-219-0x00000000006C0000-0x00000000006C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IPCC3.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1660-230-0x0000000000D10000-0x000000000125D000-memory.dmp

memory/1676-231-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2140-233-0x0000000000FE0000-0x000000000152D000-memory.dmp

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310051730049554820.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1716-238-0x00007FF6CCBD0000-0x00007FF6CD113000-memory.dmp

C:\Users\Admin\Pictures\tqXBxgO2WGvihHFjRpCOhDUr.exe

MD5 924095edc84d36d6ca160ab9860c90aa
SHA1 13b890bda4f31f80f3a18fe60fac4c84ffe9e2d6
SHA256 cf920b312e24e4b8f9ed19d815023dc3bb8415d8efae6ae8c792de39f4e84a41
SHA512 869f630d58270da614cf9731c24a669b370ff5f5dd057b549923d518d554417dd3bc1db1e10a07651c5e91623f56904821f9b993746db4f6e8b59a37910e30e5

memory/3380-243-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310051730057684540.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4820-247-0x0000000000FE0000-0x000000000152D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 6587de900c9bbad8c60f85fe38bc49aa
SHA1 f13e112b32b793968c742d67b0d1825aca304d32
SHA256 5d18da8f62d881901d952e11abe329d37027907975fd903491212b7eb63b0d6a
SHA512 dc9fba43e6c44ea97a6162e26df547b346e8899daed9f7c36365bdd10e24896da82fbce6d7270944cdad709f5f124cedb5c3f5042db342846b378a210dc4d22b

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 6587de900c9bbad8c60f85fe38bc49aa
SHA1 f13e112b32b793968c742d67b0d1825aca304d32
SHA256 5d18da8f62d881901d952e11abe329d37027907975fd903491212b7eb63b0d6a
SHA512 dc9fba43e6c44ea97a6162e26df547b346e8899daed9f7c36365bdd10e24896da82fbce6d7270944cdad709f5f124cedb5c3f5042db342846b378a210dc4d22b

memory/4540-248-0x0000000000FE0000-0x000000000152D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/5116-277-0x00000000062E0000-0x000000000680C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 501dee1bf4317147c20e34f6b39f984f
SHA1 d6d3538ab655fe65b328cfb39e7980844837bd49
SHA256 be886589cc3c00a0da311cdcd4cec3c91709e7fc4463d8a61653461a19552dbe
SHA512 415a0d2170ebad18f950b3f59e611dcbe37fd14c693151ae5448e1b150e240bde91492c93bdbc2b037c14fc71d972df56e21594ed7f1559d44bd47e7085734bf

C:\Users\Admin\AppData\Local\Temp\is-BQBAT.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\is-IPCC3.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-IPCC3.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/4708-292-0x0000000000FE0000-0x000000000152D000-memory.dmp

memory/1448-293-0x0000000000400000-0x0000000000513000-memory.dmp

memory/5116-283-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1464-294-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4212-295-0x000002300DBF0000-0x000002300DC74000-memory.dmp

memory/4212-302-0x000002300E020000-0x000002300E082000-memory.dmp

memory/4212-303-0x00007FFC78D30000-0x00007FFC797F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GRELV.tmp\1MjyNNrooKx0UqPnYWZAMlxp.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4212-307-0x000002300FA10000-0x000002300FA6E000-memory.dmp

memory/1716-308-0x00007FF6CCBD0000-0x00007FF6CD113000-memory.dmp

memory/4800-323-0x0000000003130000-0x00000000032A1000-memory.dmp

memory/4800-326-0x00000000032B0000-0x00000000033E1000-memory.dmp

memory/5116-327-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/1844-328-0x00007FFC78D30000-0x00007FFC797F1000-memory.dmp

memory/1844-329-0x000002AA33130000-0x000002AA33140000-memory.dmp

memory/1464-330-0x0000000000900000-0x0000000000901000-memory.dmp

memory/1464-333-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1844-343-0x000002AA33020000-0x000002AA33042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogr2nl4i.3jq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\574508946349

MD5 b23720d721f54dafaf5857cf0d2f2557
SHA1 0d3416414bcde9acd201cf00a058ae09b7c60426
SHA256 3fc959c98df66debd8667448faf875761d584d0672d106650ec9cb761cfd0d65
SHA512 8761d5050691a7bbdd9202f8eac61dce77ff3a89d54e47d7f0501b239c8f4ef1df953f071b047812415b7217409f8bd0e06919d569893cfc7b93beee706fae4b

memory/5116-349-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/1844-356-0x000002AA33130000-0x000002AA33140000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/1844-366-0x000002AA33130000-0x000002AA33140000-memory.dmp

memory/1464-365-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1464-373-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5b-612f3-640-8d8bb-ef6b17907078d\Nygivuhyxa.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/1676-383-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Program Files\Windows Multimedia Platform\QQSQFBMDWV\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Users\Admin\AppData\Local\Temp\5b-612f3-640-8d8bb-ef6b17907078d\Nygivuhyxa.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\5b-612f3-640-8d8bb-ef6b17907078d\Nygivuhyxa.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\5b-612f3-640-8d8bb-ef6b17907078d\Nygivuhyxa.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\Windows Multimedia Platform\QQSQFBMDWV\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/2224-396-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\Windows Multimedia Platform\QQSQFBMDWV\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/2224-405-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I079R.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/1076-409-0x000000006C5A0000-0x000000006CB51000-memory.dmp

memory/4212-408-0x00007FFC78D30000-0x00007FFC797F1000-memory.dmp

memory/1076-410-0x0000000000F40000-0x0000000000F50000-memory.dmp

memory/1076-411-0x000000006C5A0000-0x000000006CB51000-memory.dmp

memory/5116-412-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/1448-421-0x0000000000400000-0x0000000000513000-memory.dmp

memory/1844-422-0x000002AA33130000-0x000002AA33140000-memory.dmp

memory/1844-423-0x000002AA33130000-0x000002AA33140000-memory.dmp

memory/4780-424-0x0000000002100000-0x0000000002101000-memory.dmp

memory/1844-420-0x00007FFC78D30000-0x00007FFC797F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M1338.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/5116-428-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3380-429-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1844-433-0x00007FFC78D30000-0x00007FFC797F1000-memory.dmp

memory/1716-439-0x00007FF6CCBD0000-0x00007FF6CD113000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I079R.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/2224-442-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4780-460-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4780-461-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1076-462-0x000000006C5A0000-0x000000006CB51000-memory.dmp

memory/2224-463-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\NpPVmbU0yfIj3bnlA8dxVCdP.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1716-469-0x00007FF6CCBD0000-0x00007FF6CD113000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

memory/4136-514-0x00007FF76BCD0000-0x00007FF76C213000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe

MD5 34929f64d8dedc8ce887d9de6fce9c20
SHA1 4653d9c09aab6d3f8dd801ba97a6cced66f3b097
SHA256 3fb9093caabc82c8935ff184e11900068ce8d4ff17087f5a0edab423df146b90
SHA512 a2ac64860761dbee8fbfbb83d9f7a0f40fdb58758dc714b657fa4aaffd752d3c4c4847e77c2fcb94b54a2c09775caf95f3c9d94315b864cfc00ca839d7352a1c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe

MD5 34929f64d8dedc8ce887d9de6fce9c20
SHA1 4653d9c09aab6d3f8dd801ba97a6cced66f3b097
SHA256 3fb9093caabc82c8935ff184e11900068ce8d4ff17087f5a0edab423df146b90
SHA512 a2ac64860761dbee8fbfbb83d9f7a0f40fdb58758dc714b657fa4aaffd752d3c4c4847e77c2fcb94b54a2c09775caf95f3c9d94315b864cfc00ca839d7352a1c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe

MD5 34929f64d8dedc8ce887d9de6fce9c20
SHA1 4653d9c09aab6d3f8dd801ba97a6cced66f3b097
SHA256 3fb9093caabc82c8935ff184e11900068ce8d4ff17087f5a0edab423df146b90
SHA512 a2ac64860761dbee8fbfbb83d9f7a0f40fdb58758dc714b657fa4aaffd752d3c4c4847e77c2fcb94b54a2c09775caf95f3c9d94315b864cfc00ca839d7352a1c

memory/1472-541-0x00007FFC79190000-0x00007FFC79C51000-memory.dmp

memory/1472-546-0x0000029EFE1B0000-0x0000029EFE1C0000-memory.dmp

memory/1472-549-0x0000029EFE1B0000-0x0000029EFE1C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\dbghelp.dll

MD5 f2df49fd368f4ae7a61cb7dc375d935a
SHA1 8f74fd1a61aaca6223489233e74e32661d362760
SHA256 c04afc07ed5fde047a940739bef42df46292009a9f09e5e02130210c384b916b
SHA512 fc91488745d979db33cbd0eb8f3bc85d8a439f3275f046d491013bbe6d32c77275ece7d07fd3c9bdf86a9417abc8b13707382c37693f190d4251df1d3bf474a9

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310051730041\assistant\assistant_installer.exe

MD5 7b8c1c3e6b8c779fcfdd972cc6baa4a1
SHA1 ea77673ac4dbb86533a0e7db577961047adeef00
SHA256 b6e79c27a2e741a33ddef303c97be91ddee5273f42fb085b55ee9346f130f7ca
SHA512 83d6b47e17b4321e3509d3df2fdee3a5b86a0e358ccf8b22c63c53d705333641a5d10390a915a830defa8b89b236f93e37221a5a7f0087e987e336446dbd09ef

memory/1472-573-0x00007FF458E80000-0x00007FF458E90000-memory.dmp

memory/1472-583-0x0000029EFEDC0000-0x0000029EFEDDC000-memory.dmp

memory/1472-584-0x0000029EFEDE0000-0x0000029EFEE95000-memory.dmp

memory/1472-585-0x0000029EFEEA0000-0x0000029EFEEAA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 17:29

Reported

2023-10-05 17:31

Platform

win7-20230831-en

Max time kernel

15s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2gkDzBKYe2gGxyrOpNgLA4sn.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3AWLvZRYLzDYfflnhYakVu5Y.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4gb4ub2bmT80390tYz5Bnq7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axU6cuA3cr6Z7dFANVBRC7ML.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5htsXDsyjspW4LmZSZm9k0yT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GyOwBgzudpaTAPsj6uz5S2wh.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52HchoN0QXvR4i2NCBOo6XnO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W8uN5tNvGX3AYy9Vtf8jXujn.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c4E6PRC9mfL4FrjGiKL7MoN.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cCL5BgBQ4pMIlkRoXDJiaEKY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7kmVInjJ2sOMV8eVvuIt9Exj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2160 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2596 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe
PID 2596 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe
PID 2596 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe
PID 2596 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe
PID 2596 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe
PID 2596 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe
PID 2596 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe
PID 2596 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe
PID 2596 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe
PID 2596 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe
PID 2596 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe
PID 2596 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe
PID 2596 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe
PID 2596 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe
PID 2596 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe
PID 2596 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe
PID 2596 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe
PID 2596 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe
PID 2596 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe
PID 2596 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2596 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe
PID 2328 wrote to memory of 3020 N/A C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2328 wrote to memory of 3020 N/A C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2328 wrote to memory of 3020 N/A C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2328 wrote to memory of 3020 N/A C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
PID 2596 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe
PID 2596 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe
PID 2596 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe
PID 2596 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe
PID 2596 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe
PID 2596 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe
PID 2596 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe
PID 2596 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23exe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe

"C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe"

C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe

"C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe"

C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe

"C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe"

C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe

"C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe"

C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe

"C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe"

C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe

"C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe"

C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe

"C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

"C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"

C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe

"C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe"

C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp" /SL5="$5010A,491750,408064,C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit

C:\Users\Admin\Pictures\Rq81nEwOmOaL8rEhaZ95kq78.exe

"C:\Users\Admin\Pictures\Rq81nEwOmOaL8rEhaZ95kq78.exe"

C:\Users\Admin\Pictures\t3Fv0jhVHs2OIxZdiUjIc5TW.exe

"C:\Users\Admin\Pictures\t3Fv0jhVHs2OIxZdiUjIc5TW.exe" --silent --allusers=0

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "nhdues.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\1ff8bec27e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\is-U318G.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-U318G.tmp\8758677____.exe" /S /UID=lylal220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Program Files\VideoLAN\LHNFVFNPHN\lightcleaner.exe

"C:\Program Files\VideoLAN\LHNFVFNPHN\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe

"C:\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe"

C:\Users\Admin\AppData\Local\Temp\is-19VKH.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-19VKH.tmp\lightcleaner.tmp" /SL5="$201BA,833775,56832,C:\Program Files\VideoLAN\LHNFVFNPHN\lightcleaner.exe" /VERYSILENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 396

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8479718252.exe"

C:\Users\Admin\AppData\Local\Temp\8479718252.exe

"C:\Users\Admin\AppData\Local\Temp\8479718252.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Yn77eUUgXtDNcboP3tb4Amgk.exe" /f & erase "C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Yn77eUUgXtDNcboP3tb4Amgk.exe" /f

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005172955.log C:\Windows\Logs\CBS\CbsPersist_20231005172955.cab

C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe

"C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe"

C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe

"C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {EBF6FA39-F734-41A5-A312-DECC38050B23} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\syswow64\rundll32.exe

"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\8479718252.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 bolidare.beget.tech udp
US 85.217.144.143:80 85.217.144.143 tcp
US 172.67.216.81:443 flyawayaero.net tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 85.217.144.143:80 85.217.144.143 tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 8.8.8.8:53 link.storjshare.io udp
US 172.67.187.122:443 lycheepanel.info tcp
RU 91.106.207.50:80 bolidare.beget.tech tcp
US 136.0.77.2:443 link.storjshare.io tcp
RU 212.193.49.228:80 goboh2b.top tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 potatogoose.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 2.18.121.68:80 apps.identrust.com tcp
US 172.67.180.173:443 potatogoose.com tcp
US 2.18.121.68:80 apps.identrust.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.96.0:443 justsafepay.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
BG 193.42.32.29:80 193.42.32.29 tcp
US 136.0.77.2:80 link.storjshare.io tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.1:443 m7val1dat0r.info tcp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
US 8.8.8.8:53 link.storjshare.io udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
DE 52.219.169.222:443 wewewe.s3.eu-central-1.amazonaws.com tcp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
DE 172.217.23.206:443 script.google.com tcp
DE 78.47.27.247:80 78.47.27.247 tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp
US 173.214.169.17:443 tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 6164954c-2f1c-445b-beef-4d2246fadd4f.uuid.myfastfoodguru.com udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.myfastfoodguru.com udp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.50:443 server7.myfastfoodguru.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp

Files

memory/2160-0-0x0000000000B70000-0x0000000000BCE000-memory.dmp

memory/2160-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2160-2-0x00000000020C0000-0x0000000002100000-memory.dmp

memory/2160-3-0x00000000003A0000-0x00000000003E4000-memory.dmp

memory/2160-4-0x0000000000500000-0x000000000051A000-memory.dmp

memory/2596-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2596-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2596-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-10-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2596-11-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2596-12-0x0000000004A60000-0x0000000004AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab49BF.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar49F1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 065f64395fce0891a73c8f35f8a74f10
SHA1 67a35ce0fc5fd3fd39d26466e53f4646179a8514
SHA256 1b4cee77b4af340410d0a73cd4c98279d13243bd4669c4868df8ed21bdcb83b0
SHA512 f565fc6717f1295e91283aff364e553801f03130d18cfa9a433860b8aaad0f50279ba66613e4834dbb58e5385c7c4ec80b159c5c42cffb8b37ec613facd9431b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\Yn77eUUgXtDNcboP3tb4Amgk.exe

MD5 74b2d6fb1c1f8429468cb315918ee7f6
SHA1 5fae12c58852cead4403af10fc6affa153f4900c
SHA256 c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac
SHA512 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f

C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 379f3f3646dc7ee27bfafed1c3ec7cd6
SHA1 4c7bd9668d02cd96ca3991b4e591480cb998966d
SHA256 a786b9f6df91cda355e7eb5c45b6679e7d3f8b87f0f24281c0f48ed184378938
SHA512 2967889588b46016a8c94c27bb1974c7f37b6371a5ed95d2dd56a095eda5044754b3d5c0dc1640e932cf31abcfc277b959cfc0e47a488df86074f59673dd1fd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 733dd40642db19db6dbd49369130b586
SHA1 f69b33122e54cd1697c85cc125f1d5924c9e2c75
SHA256 5901af2e97736f81eaf02ca5c7f9fde3df99593f502cbcb0fbb17b81ef772c13
SHA512 9c28e1ae1b8f22b3524dc50efeb057f73b2f91ae23578e1dd85fab6925cc96c71c337292befff2b91ee682285ab20794a2dcd4bb777dee568cbd21c7e1e22618

C:\Users\Admin\Pictures\yqPnSi1OBq4f5w5ceByItmvI.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

C:\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

C:\Users\Admin\Pictures\PCB0Fck0efFOQJpJzwaO610M.exe

MD5 61b58ff95b06f484fdd263b7dca921e7
SHA1 5e53323620dce30e7cb32b079b16c60757dffc1a
SHA256 ef03b88e801bc6bba6e7a7f82c5cde79bd756e93f663de0f3cc048858c104834
SHA512 75f1ddf33fdc63c64e88dc9530cb1f456d3774de5bcc11420f53663dee8b2e206d3cc613ca4716e2540a5a709c0afdcd4fd0ed0b1f8f1c5a1bb69bfcc36114a2

memory/836-222-0x0000000004860000-0x0000000004C58000-memory.dmp

\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

\Users\Admin\Pictures\Xf1vsVFYuUKjSxmfpSxTWVgO.exe

MD5 1c86f687cb15ba854d847f07d2f8e2be
SHA1 20b2b70a9045a88198dfa3fdf76a4a469f395391
SHA256 ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f
SHA512 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9

\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/1808-237-0x0000000073FC0000-0x00000000746AE000-memory.dmp

C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\z4MQLcLUX9MOfw5YYasYXjAg.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/1808-265-0x0000000000A80000-0x0000000000D9C000-memory.dmp

C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\aVIONjUY1xrCvWraceNgbRHr.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

memory/1612-263-0x0000000000400000-0x000000000046A000-memory.dmp

\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

memory/2596-250-0x0000000073FC0000-0x00000000746AE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

C:\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

\Users\Admin\Pictures\O25ChJvId8MP1Q8CkEL56VaN.exe

MD5 aaf2d3ecd7c37951fbda0e789ef025de
SHA1 b74a849ecb3c28358aca29905111c9984ec2ef1e
SHA256 22cbb20503cab32d18883987f6d829490c37547b31718c5aacdd690ef84d0c2f
SHA512 8389abe0317f1f43d8a453ecda6a72c138b3134ed6540ec5883af3d96b79f81575b67caf653ea447b767a84f8ad1a73bfcfc725c6ce676f6073d8e0b1c4e2bf0

C:\Users\Admin\AppData\Local\Temp\is-M37DO.tmp\aVIONjUY1xrCvWraceNgbRHr.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/848-284-0x0000000004A30000-0x0000000004E28000-memory.dmp

\Users\Admin\Pictures\Rq81nEwOmOaL8rEhaZ95kq78.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/1716-292-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\Pictures\Rq81nEwOmOaL8rEhaZ95kq78.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\AppData\Local\Temp\is-U318G.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1316-303-0x00000000FF160000-0x00000000FF24C000-memory.dmp

C:\Users\Admin\Pictures\Rq81nEwOmOaL8rEhaZ95kq78.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\Rq81nEwOmOaL8rEhaZ95kq78.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\AppData\Local\Temp\is-U318G.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-U318G.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2596-307-0x000000000B180000-0x000000000B6CD000-memory.dmp

memory/1808-310-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2796-311-0x0000000000F40000-0x000000000148D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

MD5 aebaf57299cd368f842cfa98f3b1658c
SHA1 cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7
SHA256 d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce
SHA512 989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

C:\Users\Admin\Pictures\t3Fv0jhVHs2OIxZdiUjIc5TW.exe

MD5 6b01485dc66803663c2b81f926296fb0
SHA1 ad7b8c19cb16bd47ce47ec1ab6d08d50b79cc052
SHA256 f4e585dab024db2e1b9603b7691bd8c2752f7159f0b40558c17c0e232317b386
SHA512 0746a9602c4985674deec32fb25daa9f30ade6b25788fc39b14585e94fd7aa9b9990e0e6ebef7bb3f8dccc1fa39b22e61f22f82acfc25d880f5fa78dc326890b

\Users\Admin\AppData\Local\Temp\Opera_installer_2310051729279492796.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\t3Fv0jhVHs2OIxZdiUjIc5TW.exe

MD5 6b01485dc66803663c2b81f926296fb0
SHA1 ad7b8c19cb16bd47ce47ec1ab6d08d50b79cc052
SHA256 f4e585dab024db2e1b9603b7691bd8c2752f7159f0b40558c17c0e232317b386
SHA512 0746a9602c4985674deec32fb25daa9f30ade6b25788fc39b14585e94fd7aa9b9990e0e6ebef7bb3f8dccc1fa39b22e61f22f82acfc25d880f5fa78dc326890b

\Users\Admin\Pictures\t3Fv0jhVHs2OIxZdiUjIc5TW.exe

MD5 6b01485dc66803663c2b81f926296fb0
SHA1 ad7b8c19cb16bd47ce47ec1ab6d08d50b79cc052
SHA256 f4e585dab024db2e1b9603b7691bd8c2752f7159f0b40558c17c0e232317b386
SHA512 0746a9602c4985674deec32fb25daa9f30ade6b25788fc39b14585e94fd7aa9b9990e0e6ebef7bb3f8dccc1fa39b22e61f22f82acfc25d880f5fa78dc326890b

memory/1612-315-0x0000000000400000-0x000000000046A000-memory.dmp

\Users\Admin\Pictures\Opera_installer_2310051729302582796.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1808-323-0x0000000005BE0000-0x0000000005C20000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4e79327a2aaa00173b716af40f57b01
SHA1 7e2069b52fc649ffc2bb08f93f2c0bd358f28d19
SHA256 bc4ca51f3345eab42462a4c61a762360835e3839648c3be10a61aaea4ebfab17
SHA512 4b7b2c7ddc840af2e02d2b0ef06b56532f4e8b56fea96fc26e7179c7629cb05f3b8666db9e8de39af1c2a6b2f475b0a6618460af3718b4eb0f9e0381ccdb8f8e

C:\Users\Admin\AppData\Local\Temp\849525425301

MD5 0229bda29bb019bbc8fb665c59e0145d
SHA1 18447eaa1a6fa38e4bf9ebdb27d1858cac6a9332
SHA256 e92dcf2201527fe4df7c611e08633258b46bfbf3e9f6814e4da97204b4278693
SHA512 83efa5fdc4fee32edc76fd9ff46fdf90eec0fcc6ed334ad1b656aec18ab99f838c09b62506dbcb3187bbd1b0c2c69ae567dc262be5afd07b089603813bba7a3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d32178a17e2b136098e861b72389f1ee
SHA1 8f63030a20ae2e3b35d5090e2d1171001a2e08bd
SHA256 3d7cb82c6f9dc0d511fee8ef70dd948fdbf4bf88493399cd9224a60d3cc8bc9b
SHA512 1af451262ed13fd2369e29631b0d7d1930fc2eeebf4a041d501fcdd31a54cfc16452c1cc2dedc3cbb640bcc42a84407c3eb5c469e0ba44163903a51ed386176b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 041cfbb6feae65291ffa341bf971fa42
SHA1 5104920d94fcddd316b1d75d4eeff2f907fdbfe8
SHA256 ae243bd949182b7db96eba00fb7dde7a30620aff2b4138c562f6f74ab7ca2b1e
SHA512 54d7f4c2c846a4e08438323933ffeeee67ffe242d7838cc95d21e14258b4ccbb65b2657500dfb18eba0e7af613cdfa308012b093667fea189d1038c75e5712e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47918b3a70484ee4ebdc75d93e052996
SHA1 472822bcc9a9c4f3400a4d9f6d17993bc41ee4db
SHA256 6354c0048b223674742c194fea626fdb0a1ee3476a381b8b45e2b8d63cbc60d7
SHA512 cdf6e8ddc1870259a34ff4e2f2f7b1f4068afe882bf9c5af8d600921e9e34e2516d9f154e1c03bcc62c800211daeeb0cc9c2f665c0f4b1ad0df4e214c46ea057

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74596747e9d36a75756d614d0ea61bd7
SHA1 2cc8bcc40a148e5e4f53f29459d0154a1874cdf2
SHA256 7766e2e473c9ade86e016fb18da28a5044e6735823cd50a2e4929cac84723a62
SHA512 0e1a8b275b05fc61b65b9b62a54c93aadaa70efc68f6a3554092521faf35e3a6687220f5cfdcc433b69ac84fe5529c8472e170b98c314f3dcc59ab466a9e5d94

memory/1648-413-0x000000013F490000-0x000000013F9D3000-memory.dmp

memory/1808-414-0x0000000005BE0000-0x0000000005C20000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-U318G.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-U318G.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-U318G.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

memory/1724-420-0x0000000000BA0000-0x0000000000C24000-memory.dmp

memory/1724-421-0x00000000003F0000-0x0000000000452000-memory.dmp

memory/1724-422-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

memory/1724-423-0x000000001B090000-0x000000001B110000-memory.dmp

memory/1724-424-0x0000000002030000-0x000000000208E000-memory.dmp

memory/1716-425-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2596-426-0x000000000B180000-0x000000000B6CD000-memory.dmp

memory/1316-429-0x0000000003230000-0x00000000033A1000-memory.dmp

memory/1316-430-0x00000000033B0000-0x00000000034E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74596747e9d36a75756d614d0ea61bd7
SHA1 2cc8bcc40a148e5e4f53f29459d0154a1874cdf2
SHA256 7766e2e473c9ade86e016fb18da28a5044e6735823cd50a2e4929cac84723a62
SHA512 0e1a8b275b05fc61b65b9b62a54c93aadaa70efc68f6a3554092521faf35e3a6687220f5cfdcc433b69ac84fe5529c8472e170b98c314f3dcc59ab466a9e5d94

memory/2028-446-0x000000001B460000-0x000000001B742000-memory.dmp

memory/2028-447-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/2028-448-0x000007FEEE910000-0x000007FEEF2AD000-memory.dmp

memory/2028-449-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/2028-450-0x000007FEEE910000-0x000007FEEF2AD000-memory.dmp

memory/2028-451-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/2028-452-0x00000000026F0000-0x0000000002770000-memory.dmp

memory/2028-453-0x00000000026F4000-0x00000000026F7000-memory.dmp

memory/1808-454-0x0000000005BE0000-0x0000000005C20000-memory.dmp

memory/2028-455-0x000007FEEE910000-0x000007FEEF2AD000-memory.dmp

memory/2564-465-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2564-466-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2564-467-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/1724-469-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

memory/1808-468-0x0000000005BE0000-0x0000000005C20000-memory.dmp

memory/2564-470-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/1724-471-0x000000001B090000-0x000000001B110000-memory.dmp

memory/836-472-0x0000000004860000-0x0000000004C58000-memory.dmp

memory/836-473-0x0000000004C60000-0x000000000554B000-memory.dmp

memory/836-474-0x0000000000400000-0x0000000002FB5000-memory.dmp

memory/1316-475-0x00000000033B0000-0x00000000034E1000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1648-481-0x000000013F490000-0x000000013F9D3000-memory.dmp

C:\Program Files\VideoLAN\LHNFVFNPHN\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/1224-504-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Program Files\VideoLAN\LHNFVFNPHN\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

\Users\Admin\AppData\Local\Temp\is-19VKH.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\is-19VKH.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

\Users\Admin\AppData\Local\Temp\is-HOFOO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-HOFOO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-HOFOO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Program Files (x86)\LightCleaner\LightCleaner.exe

MD5 b1c46e53e92ce5c1b673a60b2db081ac
SHA1 6ef5e9f1ee2f0a325c43c2d92447310097f9f5b3
SHA256 ef4b529c5f506bf8a58522aed1e5ae7ebfec2155130e90bd92f9403883046489
SHA512 a6708c915b68cabc62b8a356c91e1e4d8facd5b5c28050d39dd8c0486d0e84440d6f75b4bdd78c348d44138a1686b152f6042fdaae0f5d0fce3a31aa5b9b46a5

memory/1672-538-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-19VKH.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/1224-539-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1648-542-0x000000013F490000-0x000000013F9D3000-memory.dmp

C:\Users\Admin\Pictures\91urJXr2wC7mhQTRHF84r1Yw.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

C:\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Raqakyguzhae.exe

MD5 12b9ea8a702a9737e186f8057c5b4a3a
SHA1 4184e9decf6bbc584a822098249e905644c4def2
SHA256 0ede12df938accd1be25420696db2969815ca0a2cd22d0c68a3352faa88f1001
SHA512 f62f17cddde83b96e416a198abde4ece29f6e26bc95ee72f151ab05594859a1cf69afb918f4f1a0ef5d6a660b2d2cead419f9b396698512a8d32bb877ce50713

memory/576-547-0x000000006CF80000-0x000000006D52B000-memory.dmp

memory/576-549-0x000000006CF80000-0x000000006D52B000-memory.dmp

memory/2460-550-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2460-551-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/848-552-0x0000000004A30000-0x0000000004E28000-memory.dmp

memory/848-553-0x0000000004E30000-0x000000000571B000-memory.dmp

memory/848-554-0x0000000000400000-0x0000000002FB5000-memory.dmp

memory/2564-591-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/1912-593-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2564-595-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/2564-594-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2460-597-0x0000000000740000-0x0000000000840000-memory.dmp

memory/2884-601-0x00000000022D0000-0x0000000002734000-memory.dmp

memory/836-600-0x0000000000400000-0x0000000002FB5000-memory.dmp

memory/576-615-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2460-617-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/848-642-0x0000000000400000-0x0000000002FB5000-memory.dmp

memory/2564-653-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2460-654-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/2460-655-0x0000000000740000-0x0000000000840000-memory.dmp

memory/2796-656-0x0000000000F40000-0x000000000148D000-memory.dmp

memory/2140-658-0x000000013F2C0000-0x000000013F803000-memory.dmp

memory/2884-659-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/836-660-0x0000000000400000-0x0000000002FB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lpksetup-20230831-235916-0.log

MD5 1826fa74cf6cbd4a4690f902e04d73e5
SHA1 2b536337a86895be07172703e1cd39700048f04b
SHA256 391c53b49cb2a363436017bbab9482e7b4076f6c56a090481ac0bf82d91de3f0
SHA512 4f4a8753b59f13447e6d9a9ac6e482028fca21956aaac7358df471e1982e90d35078612af744c5e719f2f6b3e475d949886970294056d7f8c83b789921431718

memory/2884-669-0x0000000002740000-0x0000000002C07000-memory.dmp

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.Lck

MD5 b485167c5b0e59d47009a16f90fe2659
SHA1 891ebccd5baa32daed16fb5a0825ca7a4464931f
SHA256 db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9
SHA512 665e3fcbd83b7876dd1dc7f34fadd8669debdfab8962bdce3b72b08139a75ef157c4f4c3b90ea9c1f20637bb4f2a29091d9186987d22c7d23428a2e7ccf80bd4

C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_BestBet.H1W

MD5 d8433b839d08f96ce32b60fb84912132
SHA1 02a020e7b2735b6492af9edb9eec6343cafc1bf4
SHA256 1382ae70ac35e039d080c23a55cabc728bce0d34e3e5f6e9acc566ec1d107223
SHA512 f1b8b622b7b98ad2b6a8fd1351a41408daac23baf9c6d9bf2ff848dbe93876b26c0aaba9f7bc628fba3e65be77f1c8092280a4632e5f34a9cf4936acdabb28b3

C:\Users\Admin\AppData\Local\Temp\d6-e016c-871-d9ea2-f8a7a6c3473ca\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/2884-740-0x0000000000400000-0x00000000009FA000-memory.dmp

C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W

MD5 8c4c96e0bfb61753e3c7058756d18214
SHA1 edb26671dc83d75fe7bd4ddf1d532ae3c0099a71
SHA256 6e993b3204808c533f38511d20aa6d8f15fbb70e45f7dcdd33a579e83e6a3661
SHA512 36d1b2f59730461e16b4191a80a41de40eecc6604ec7cc9e1ba17edf19bffb269e6f37869daa080c0c532b620d07e97aac66c26d7a6fee218da7e082ceb18adb

memory/800-744-0x0000000004780000-0x0000000004B78000-memory.dmp

memory/836-745-0x0000000000400000-0x0000000002FB5000-memory.dmp

memory/2884-747-0x00000000034C0000-0x0000000003CB2000-memory.dmp

memory/2324-748-0x0000000004960000-0x0000000004D58000-memory.dmp

memory/2884-751-0x0000000000400000-0x00000000009FA000-memory.dmp

memory/2884-752-0x0000000000310000-0x0000000000311000-memory.dmp

memory/848-749-0x0000000000400000-0x0000000002FB5000-memory.dmp

memory/2884-755-0x0000000003F40000-0x0000000004080000-memory.dmp

memory/2884-753-0x0000000003F40000-0x0000000004080000-memory.dmp

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 49b3faf5b84f179885b1520ffa3ef3da
SHA1 c1ac12aeca413ec45a4f09aa66f0721b4f80413e
SHA256 b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5
SHA512 018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 4bd56443d35c388dbeabd8357c73c67d
SHA1 26248ce8165b788e2964b89d54d1f1125facf8f9
SHA256 021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
SHA512 100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09