Analysis Overview
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Glupteba
SmokeLoader
Socks5Systemz
Glupteba payload
Downloads MZ/PE file
Modifies Windows Firewall
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Reads data files stored by FTP clients
Unexpected DNS network traffic destination
Adds Run key to start application
Enumerates connected drives
Accesses cryptocurrency files/wallets, possible credential harvesting
Manipulates WinMonFS driver.
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 12:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 12:34
Reported
2024-03-10 12:36
Platform
win7-20240221-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 12:34
Reported
2024-03-10 12:36
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socks5Systemz
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nCKytdSB5KynFC85zAiaClrW.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locXPTpXtGAi2iIwIOCjSk6g.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAbuhFFm3sGZEGrlbX8f7Nfw.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4WojiqiVx9md8GR8I0C4iz2b.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNy39JoOJRzNuLwJbwm9miIZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rRb0jtjxrnIIVBVBJay5pfS9.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 141.98.234.31 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 692 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe
"C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"
C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp" /SL5="$E0062,1697450,56832,C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s
C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe
"C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
"C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3536 -ip 3536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1744
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe" --silent --allusers=0
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2f0,0x300,0x6e8a21c8,0x6e8a21d4,0x6e8a21e0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe" --version
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3876 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240310123443" --session-guid=9477b60e-ec3c-4c23-97a4-17043994aafc --server-tracking-blob=Y2JhYTNlZjQ5NGNjYjliOWFiYjdlODFiZDRkMGQyMGJjOTU2MmNkNjk5YTI1Njk1ZjI2ZTU0ZWVjZWI2MDRhYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDA3NDA1OC4yMzY2IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiZWJiOTdiOC04ZWZiLTQ1NzgtODQ4Ny05MGFiMDY0NWUxNWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2f0,0x300,0x304,0x2d4,0x308,0x6df221c8,0x6df221d4,0x6df221e0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x530040,0x53004c,0x530058
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1092
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| RU | 193.106.174.70:80 | galandskiyher5.com | tcp |
| US | 172.67.171.112:80 | midnight.bestsup.su | tcp |
| US | 172.67.164.28:443 | namecloudvideo.org | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.164.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.49.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 217.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.19:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.19:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 185.26.182.93:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6b74b21e-632c-4ae1-a15c-b97ee370c66f.uuid.realupdate.ru | udp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.243:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 23.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.143.101.95.in-addr.arpa | udp |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | udp | |
| CH | 172.217.210.127:19302 | udp | |
| BG | 185.82.216.96:443 | tcp | |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| RU | 193.106.174.70:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | tradein-myus.com | udp |
| US | 8.8.8.8:53 | trade-inmyus.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.96:443 | tcp | |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| HK | 141.98.234.31:53 | dldnrwd.info | udp |
| US | 8.8.8.8:53 | 31.234.98.141.in-addr.arpa | udp |
| TR | 195.16.74.230:80 | dldnrwd.info | tcp |
| NL | 45.155.249.96:2023 | tcp | |
| US | 8.8.8.8:53 | 96.249.155.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.74.16.195.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
Files
memory/692-0-0x0000000000400000-0x0000000000408000-memory.dmp
memory/692-1-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/692-2-0x0000000005740000-0x0000000005750000-memory.dmp
C:\Users\Admin\Pictures\35g0sPicqdQXWNY48pVYrgLZ.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe
| MD5 | 328adf79d56fef9b88089e2ccb17c8a0 |
| SHA1 | 35a90318f8ab8ec3f99ca37b9d4b212e78867420 |
| SHA256 | d8e189e63bbe2fe65b973190b5ed8dbad9e7e90d2a086cfc0f1745c3d06e525b |
| SHA512 | f16e15cf2f1012ceeba6017590e5f5fa3aec4a6441b29df6808d4f68fdbca4201d53c25aca84cba9549fff052864a5ec7ff7dc9022bd75e07fa4e9b5c8284667 |
memory/60-27-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp
| MD5 | 085aca27fe0b6d4c479500fb4a586129 |
| SHA1 | 88e775fab99e3bc02e2bc44b0171b8a70cc5f9a3 |
| SHA256 | 6cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7 |
| SHA512 | a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b |
memory/316-33-0x00000000005E0000-0x00000000005E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-J4JCU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
| MD5 | 3b5b9bd8bbf39e9996072c71dfbcf7ca |
| SHA1 | ba59908f0714a7e1682b3edefb0b723fbf8e8a38 |
| SHA256 | 45397a25baca6fdcf93bfa132e6be8c3ef2403b09ec049e164c365310ac1e5a7 |
| SHA512 | ecf2dc225a7de0e0321d000d8762a2bb4ea97c789ff4940d7e43eb9f76b79b50d3b1543b4ed4c69a82566336eed045d1dfa59d12c4d2df5032904806af101d28 |
memory/3296-63-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/3296-64-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
| MD5 | 28c62765c0d3951c98331a12febbab59 |
| SHA1 | 06894799aa377dca12da424bcf2a6a6f7400c8d8 |
| SHA256 | d00fa4460a6de61d26a035dd10bebfdcc0f28b81c85728e43e89af3d04da0260 |
| SHA512 | 0ec630eef2e3b6d175732612f94196a738f62a7d79abe9c23497886c3d772c00f3c3896b5f6dac2eadfc91bf47798ee58d7717c96d59260165c3573a591d077d |
memory/3296-68-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/3296-67-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe
| MD5 | 38783b735530ec3595f8cfc57704e0a4 |
| SHA1 | 297d2424423506702a6f42fff06b37a89a9fc8e6 |
| SHA256 | 95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d |
| SHA512 | 980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f |
memory/3188-81-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
| MD5 | 78441713602f8860f76dcb726d35c787 |
| SHA1 | be11ed46be79a6bf22290a887cc289d7a9bdeb48 |
| SHA256 | 99e1a8a9641c7592de2101ed1de297d37226036e29f7839ca93c7ad5409a60af |
| SHA512 | ab23f06273f4337c2ec0bb8ee53c736cfb93b6b58bb700a43c969be7c233881474afca360d21bad952a0f19f25ee8cb675f8ea7cce1e9f0f41c41033f12baef6 |
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
| MD5 | fbd8c3441a6860996d762513c9db1bc9 |
| SHA1 | bf1c2916cec7eeb327d0857a1f484268425a7239 |
| SHA256 | dbdc20d075f94e8979dd5a75f6a26b47d60de1e88552bfda1805abab08f6454a |
| SHA512 | c516760a64d2a5c166ba6cc14cda4b558c2f9db53465a98bfc50cc78c9a237809cb7a725f6e987ce32c93f8c49e6f1c1135fe7995bfd47df2c71030842ff6216 |
memory/1652-99-0x0000000000670000-0x0000000000770000-memory.dmp
memory/1652-101-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1652-100-0x00000000004C0000-0x00000000004CB000-memory.dmp
memory/692-103-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4772-104-0x0000000002A00000-0x0000000002E08000-memory.dmp
memory/4772-105-0x0000000002E10000-0x00000000036FB000-memory.dmp
memory/692-106-0x0000000005740000-0x0000000005750000-memory.dmp
memory/4772-107-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/60-108-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3536-109-0x0000000002C80000-0x0000000002CB6000-memory.dmp
memory/3536-110-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3536-113-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/316-112-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/3536-111-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3536-114-0x0000000005840000-0x0000000005E68000-memory.dmp
memory/3536-115-0x00000000055D0000-0x00000000055F2000-memory.dmp
memory/3536-116-0x0000000005770000-0x00000000057D6000-memory.dmp
memory/3536-122-0x0000000005F70000-0x0000000005FD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzaqncrt.sfu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3536-127-0x00000000060E0000-0x0000000006434000-memory.dmp
memory/3536-128-0x0000000006590000-0x00000000065AE000-memory.dmp
memory/3536-129-0x0000000006650000-0x000000000669C000-memory.dmp
memory/3536-130-0x0000000006AF0000-0x0000000006B34000-memory.dmp
memory/3536-131-0x00000000078C0000-0x0000000007936000-memory.dmp
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
| MD5 | fb7eac191e9c9b750d2039ec79edea19 |
| SHA1 | 296c528bf34dfa3444e8b11d63cfe3956431fcd0 |
| SHA256 | 1e5d6444bfabff040a71e0d656452e1050034523a96a454e7e9ca14af53825b9 |
| SHA512 | ac90fd6e17cf0fd03029e348f1c604f4748c32ad52fa7b3fcb92fb181ac1e6754e7312444c7a9598cae19b91e296866b2a4f680280b78e178c8164c19de9bd29 |
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
| MD5 | 2b1ee4ff451d7fc5fac73c16956b9da2 |
| SHA1 | cd488bdeaa9ad3ba68e3cedee2b3d7c3120cbfe1 |
| SHA256 | 2086fb1cdf52179c52dd7afdd29a9fae503defd979e721f447d48ed9b85c6f0b |
| SHA512 | aa94cf386dc51b5be9d551bb5462c234c0f7c0193a74286909020ba6bb86e226da26f01e1c90c322f72d372d2ca4fca11445bbfbec658f4006c85cf46e783590 |
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
| MD5 | f4fe0f9c69dbcdf0ecccf0e8f92e6895 |
| SHA1 | fada96c7107c270cc30462c95ff60747f0a999a8 |
| SHA256 | 341de9c61303397763325e9ef5633bb74f8dabcfaaa8f79791f488bc180e425a |
| SHA512 | 1267c5cc297004d4c628e32744283360b77e94e028b6e3f715ca7a13d49709775642b913e322141bd32e50ceb4f1e149d361f258b368cf5b0967afed39ff5083 |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 4daa194c9f29f77b6a97afcc50793020 |
| SHA1 | fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f |
| SHA256 | 421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e |
| SHA512 | 0638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05 |
C:\Users\Admin\AppData\Local\Temp\nsd5C3B.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/3536-151-0x0000000007FC0000-0x000000000863A000-memory.dmp
memory/3536-152-0x0000000007960000-0x000000000797A000-memory.dmp
memory/3536-153-0x000000007FC90000-0x000000007FCA0000-memory.dmp
memory/3536-154-0x0000000007B20000-0x0000000007B52000-memory.dmp
memory/3536-155-0x000000006F2B0000-0x000000006F2FC000-memory.dmp
memory/3536-156-0x000000006EF20000-0x000000006F274000-memory.dmp
memory/3536-166-0x0000000007B60000-0x0000000007B7E000-memory.dmp
memory/3536-168-0x0000000007B80000-0x0000000007C23000-memory.dmp
memory/1652-170-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3436-167-0x0000000002920000-0x0000000002936000-memory.dmp
memory/3536-172-0x0000000007C70000-0x0000000007C7A000-memory.dmp
memory/3536-173-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/316-176-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2816-178-0x0000000002250000-0x0000000002277000-memory.dmp
memory/2816-184-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3188-185-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/2816-177-0x00000000009B0000-0x0000000000AB0000-memory.dmp
memory/2308-192-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
| MD5 | c8e4562ad2c711911eb62a3f186114fa |
| SHA1 | e01922e5921dbc03ddd251bf9588ed8e4561158f |
| SHA256 | 23d782c4c411f5bef4e97f13de9a831bf3d8e4cdae8258437824022364780230 |
| SHA512 | b2c146020d75d24514c7a77fe010c936871c09c69ef3cc32b94c06ae43f0f8047607dbec9c078b8d168352251ea45ecbcb15b20b252ad8f90a2f10eadfc62789 |
memory/3660-193-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 0551f7eb5a45268efa4882cadf5d0f4f |
| SHA1 | 53aa3eda93cc8dffb7e3fbf585e3fdb9e21c7d71 |
| SHA256 | f8dfa02038a056f1ebf9ff0c25674c6c7764c3cda82a966922ba5d5d800d4e29 |
| SHA512 | e197f663e3263814f74e7d41ced582adff9685f13618dacad3012b0d3db57603c3d758b245685584ba42204b1cd6b5db2bbe5d9dd59cf2a0af4376f3db9b1378 |
memory/4772-196-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3660-197-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/3188-195-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/4628-203-0x0000000002A60000-0x0000000002E63000-memory.dmp
memory/3188-202-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/4628-204-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4908-206-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/4908-205-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4908-207-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/4908-208-0x0000000005C10000-0x0000000005F64000-memory.dmp
memory/4908-220-0x0000000006420000-0x000000000646C000-memory.dmp
memory/2816-218-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4908-258-0x000000007FBB0000-0x000000007FBC0000-memory.dmp
memory/4908-259-0x000000006EF40000-0x000000006EF8C000-memory.dmp
memory/4908-260-0x000000006E630000-0x000000006E984000-memory.dmp
memory/4908-270-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/4908-271-0x0000000007430000-0x00000000074D3000-memory.dmp
memory/4908-272-0x0000000007830000-0x00000000078C6000-memory.dmp
memory/4908-273-0x0000000007750000-0x0000000007761000-memory.dmp
memory/4908-274-0x0000000007790000-0x000000000779E000-memory.dmp
memory/4908-275-0x00000000077A0000-0x00000000077B4000-memory.dmp
memory/4908-276-0x00000000077E0000-0x00000000077FA000-memory.dmp
memory/4908-277-0x00000000077D0000-0x00000000077D8000-memory.dmp
memory/2816-362-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7641e72088cb15d3865ac77640f5af74 |
| SHA1 | c5fdd4d5f43029d1063e896a3a4c5d142e208275 |
| SHA256 | 78241c158fcca49f32f07d992e5e6b7a13ba30e5c2596af7347a8f562919f150 |
| SHA512 | ec08092c05613f0a09e56d6e7bb6ad7758716d470f4b2a98ecd95b6773fd39cbe9331e7e92ddb7d5ff3d5e5e7d09c2626fc5a7b3b3951ae1cf7762f0ac7c18e5 |
memory/3188-402-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/4628-404-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a7d8ecca447a85ae41d88113bbba989f |
| SHA1 | caad5c09ea968ae23cbae1d4c39bef4728934500 |
| SHA256 | e5215e33c62c9516700fdcff44718a40407f984dcc69f08cb20c06c3b43737c8 |
| SHA512 | d1bc09c7cff479e80bcf529bffa99f9f74c8cd0b9e8233325a1dc9dc4dffe70444f394eef19a46ae5cccdd5108b83fce456492e24b9f95d2764002406aaba131 |
C:\Windows\rss\csrss.exe
| MD5 | cf408c1e1d45558c26ecb829483557ac |
| SHA1 | 7828aa5da21ec627b8707abbb5c8801ef674f73e |
| SHA256 | 93f006af9a8e6bc4ec0e8bf8f5bb09a1c196e4c69f117a9f7174b1d1965eb68f |
| SHA512 | 0290122f969d3d73a37bb0179f4ace9479e117ef3b684be2f52eac971cfbdf7386f741af6055095416972e7ff0c70bae3cfe6fb5d4226f60f6023889fda39c0f |
C:\Windows\rss\csrss.exe
| MD5 | aeaef55e36e8d3a0614e3ba13f7f5306 |
| SHA1 | 9aa7faf649ff4254899e152be2e3a7ffc7857105 |
| SHA256 | 12e17f1943f7df27d07d8b73aedd3774cde829ccb3619a60de7878d8c9136a3a |
| SHA512 | 0111b6911dd670f340f6d3f1903823eebee2bc60e23f806d15f017c01cf44c36dd58429362276b78b837f270427c93ff2f614750e1d9a47044337d9c9b0e36cc |
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | fa09deca29c8def396ad17def1f710c2 |
| SHA1 | f1e4666e4af21b6bb582f78ebb2a906e07b8c00a |
| SHA256 | 4ad7baa7a04d0b7bef58f04306b8d3169cce563d78faeea6e52863cb7ccacec8 |
| SHA512 | 4a21d5398e6741d2bd223a0bd44fd97b8f5a4f704828e76570fe27b5307b4496252b78ace3d7f051212ae0a8fb9388c769b4d2175f40c653db6d2d5767661667 |
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | 1cd875544d51cdd655b372af893d6e03 |
| SHA1 | 22285b2b0df7560bf7537ff949c95a3dc1133487 |
| SHA256 | d890bb3b35496f1afedb0b4c70c6483754cb39cd5e827f3cd7eaa94768a799c5 |
| SHA512 | 71f8f6e9539e573d6abd711af178ac7e74a62eb92dad9573e881bb66f42042dcab6fd0417e70cc59579739e8b2f75ef51d5ff5ca92023a6edc6b87ca761d6475 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234427383876.dll
| MD5 | bdc1cd113d90fd65ff5240720d4398ef |
| SHA1 | 9f7cede45b8fe9c31b9c6b5692b6fcfc70d332f0 |
| SHA256 | 26b777deb343efb65c25c716dfe1862258c3b19d762754d30bfe87e79c7c5732 |
| SHA512 | 1bd592f2ab74d6a08a6a52d90691652ce04361524700ab97ccb85e2be8b651904056d4fd34cab31a97d1765149de6cf7724772be00be7f8a248ef6c1782059b8 |
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | 3f177eb6160b21c77931f37eb4da249e |
| SHA1 | 0ac6a8346e8bf85f4c9c531d7866ac6fe58b811e |
| SHA256 | 89fc22e29a4d34aa72c1b75d8c7be6b6ce75a215040eccd9dec0cf3ce49522d9 |
| SHA512 | b4c1fe2d2ae69838210404ea5ef8db0a65999c176f0593801998e59b0c0732171c4ab45a81d10438618e65664321f4e9fa30748ad110b8e248d613c6492d6772 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234428633988.dll
| MD5 | 6eb11c216165ddc393e5335a53c1ba85 |
| SHA1 | f27df15f40bbe7e9df1fe0e987a33ea4b37ada30 |
| SHA256 | dca2fbece79c684ad074bac073171e8e44d4b97356d6daa81b7770dd954d5e37 |
| SHA512 | b03c49977105f6efc48c3a850c9848073ed54cde6508805be009aa76f65fcee6fafc9dd8a3f1f610e8fa5ba0d1b601535b925c01f64919d55979c631d7e473f6 |
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | 99dc1fb590df169c7dff4596d46a6f19 |
| SHA1 | 32767dade36b24dd34a04cebd2f1e5366ae61eba |
| SHA256 | 2cec22223b6529340e813d7364a8e04a98de90c7a59edfcd6a1ce4a880c314fd |
| SHA512 | ef98844d7ff3620394f1a82cd70afd9991e4d627893eae4895458d59e39c4a356add055b9229d89f294e30db853332fe3e8e0f532d0781c9937bebfb8edddf71 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | 2c19e573001b16c221065edc3e7b8b41 |
| SHA1 | 8dfb9ea571882949d0364ad429261980b0bde784 |
| SHA256 | 4c3929f3e2d68677759a3fd30ca701f884f7c76eb37af42b112e3960491d5801 |
| SHA512 | a5099a7ccb428573334c8bcefa42448589124f3d1b92e47cd70e3aa7348a2ab98d172b56b183c3d46c896cef4919f38dbc64420ced5b152b6aa02559c7fd5375 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234431925100.dll
| MD5 | d34aba3507407dda596c187c2cb01179 |
| SHA1 | 99f8d473c7fa4db50ebb564e8dab7562cd199289 |
| SHA256 | 3f13121c2dbc3839c1138ffc40d823e338706bcdecf98fcdc4b9bc6309d11cce |
| SHA512 | f4cbd0d79b91f68a11d2041e2c2582bdd018046e58d974b97065c7cd0b057ac3b0017e34924c2a40acdb60231a167e0157e9055eb15b9497df34793c5568772a |
memory/5100-473-0x0000000000350000-0x0000000000888000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234435813284.dll
| MD5 | 57ed06b82563f3a793a0c1854da3adc2 |
| SHA1 | 88dff0aa6bbb675abc8096ad6918249352ef4cb7 |
| SHA256 | d61c5972b5a68c9bfd63a9fd2b17ae0980f8dbec233e700e70ff6bb2beb0d6aa |
| SHA512 | ced927e46cc577f5b14ff3c44e7270dc857cfd17ebf2b28d2bc3d47d35ce8932a6498343401a696b83edfc0add3a43cf5db6a8ae7427606ad475202937777a23 |
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | c29edf70ca66aed33e5d32af65cab58d |
| SHA1 | 68351f4081266811fa9e6eb03075e2e758719db6 |
| SHA256 | 06968cc02de53f5cfd358eb7658060bb570bc730eabe2fa4a6b86608a1fc48af |
| SHA512 | 87817fe98a170e58195cb341ea2d819d59e2072594099506a68d483c34549fd4a68ce8864491a5c84befff26a3b4da6c8239ef8b131feb93af3015f1808f8487 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234431925100.dll
| MD5 | c023da23536d39e32d29184f1a6540d0 |
| SHA1 | a9b20005a2a8f34c1aac9bf849b2c22ec11d6c7c |
| SHA256 | f29dbf269e20955d86afd11d06ae3785d4f0246f5157adbea706a51f869c6b12 |
| SHA512 | 447c9b8b30481a1b2704c327b86309dc8b515e4894b42c99a759dc96da4abd340d4643b92e2cded1be4c3b2390dffa41fd751de9da0933215e829e97ea1dc680 |
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe
| MD5 | ddb6e4f97e34da07d4293acd123511ed |
| SHA1 | aaf50ed5f5cf3b68aced7c01870c3b68160b9844 |
| SHA256 | 41161aed1471a9797e188c10f813ade74f647238a725ea7ff2dfad98952d391d |
| SHA512 | 9dd4c4495cf5080e2546e442d9d7f842a644e344b9831d6692daec1f3dfe1866f53f071ee88a5036944472de1b3f74188a65d98aada135b4336bba78b184d515 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234437255084.dll
| MD5 | bc3fde52b560592f09a8b29afe3b5e88 |
| SHA1 | 88d27d3148a99c473a60c78c8cde194c49bc1b71 |
| SHA256 | 80bdbc7555d9fcc80d959cb45d354c60cda8e8b4f902af834a04eb2a8340924f |
| SHA512 | 5a00eed6a8d8a8952c5d9814665082c46b80402854ac4719c07914a9af8b17558435b470a382d815088c933ce3bd1cded7b9fdde130bdda810ef80ab84b41552 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | c5c43f0e3d972dd1e7a2185f4f848728 |
| SHA1 | 5a5d91e820d252fb9a796ab9b24ff367dc9a0dd0 |
| SHA256 | 51f318280f0ca9126f1b3f20586908c12bfa47719aae4884cfd4d8b5d827d80c |
| SHA512 | 8f9e093fe3a6c695df112d649e9c0e0a253f7b24f1429ae5b93ff06f8cff93b481d4cb7229073d366f5c73d344ede83376f7e0c948bdc3a9ddcd04f2cd6c6168 |
memory/2816-497-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ae847fdc4f3c7dc40f563818a051061d |
| SHA1 | 791b6e5c9e3232791295ec34bcbc863b50bf9242 |
| SHA256 | 04557025d7ebfcb50d2c6da4fb10488e7bea1c9d2f0cfabb2fc2082503a89534 |
| SHA512 | 01b0a8a7e2cc85e30416a869f52e08b76bd694b62fbdea8fcc326faaa3e6248c9a010ab3ec9a0136d8ba6ddf4024e3e6bef8e50a399e75a896b2e956d5a46da8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7da14cc45752b1b12c596afad3d79458 |
| SHA1 | 502d02daefe7845acaebd301cf00db8ff17f1c57 |
| SHA256 | d020102224aac8e07a9aa74b8d634eb92bebfd3957694262a0a080d970324ffd |
| SHA512 | c305c09b9d437fb9e9de89c4dc517cecfc07d1099d9ab424b92450277c5ab3f10240eb09625b475cff8673f78f54b548238c2b3199b4f956496f81304fa6f1a0 |
memory/4628-553-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3188-567-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6484058066d06ffb003dca57950147e6 |
| SHA1 | c76f54ad2a32b6082b6e9b584f894244a52c0910 |
| SHA256 | 32025681920f823ec2ed527a59507658a3437c2f92f803978f2f3ff1045d38f4 |
| SHA512 | 612ae7c7706292d6743077658abc298cda3f10fb37e447c96a6ebb938aaa9386c35a73ff29546e2bb8fb515add00fb6a6443321c80b89a0194d8ac0068e3a434 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1356-607-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3188-615-0x0000000000400000-0x00000000005DB000-memory.dmp
\??\c:\users\admin\appdata\local\temp\broomsetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/1356-619-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 05becb88f11ad383f0349263d6d63200 |
| SHA1 | fbd286fc2764b52934a68900a416d6e2aab49e5b |
| SHA256 | 0830be2e292e76f7073ed56b706e80f3c923dcf100ba9503e1ef13cd5debfafa |
| SHA512 | d1223bc7201732dcacad4fe0513834155b2f2104cbc5f82bc6b2fdb30f414394cde283b16887f534f11189dc6f0df8f2095df8557bef1a055eee9b75003156ba |
C:\Windows\windefender.exe
| MD5 | 8d1cc6975dc8a7f89e38203f1eb34df1 |
| SHA1 | 584aab721b9a467a4fb99600396caf64830d022a |
| SHA256 | fbbaf09b4be45a52d54fb44b2c0f82c10b884696d41ae43f82647f97af02edbc |
| SHA512 | 2f7026156da8df831312f8dd9f9b6337c2e5c8f3568a3b56384b51a80108cfd5c1f0631c1166cf9b8644e237550bbaf372ae7b97b79a6ec0116c7fe8eae822f4 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/2424-632-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\opera_package
| MD5 | ef24d9ea54bc2e91a12b9e18b57191c1 |
| SHA1 | 953cfb323c8553ba53c6b8c67fdd5d2123a1eba1 |
| SHA256 | 06fa294a806e2860e30043e89d5e34ed9a176d126eda63777f83aaec9b8e918c |
| SHA512 | ccc59403ecac95259b97e74d43d7ec6ac72c591fb98cad3b320e2e8724ad6cb1c9eef29d328569667b3bd1859ba4efa0d3b25e5a2137a74a75768aa166f70d03 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\additional_file0.tmp
| MD5 | 6964f8088a5e3f8d44021750b884476e |
| SHA1 | 6c525b6b3775c6851dea2228010edbf8847ec561 |
| SHA256 | d64e5b0d1b0ee3279043f2989bcecbf93c46aec44f8160dfa52c07ae0008214f |
| SHA512 | 7c6ec5e82b48d0ead3698125239ba64acc6fb9d5bf3f83c70afb5880f8fe9ab8acf16fcccc46b17c578aee7b5f59a03d305cf6c613c4f2b947f684f7a47bce17 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | f9b7262e2c0a029f50822f47a8056366 |
| SHA1 | 07799f321fe690a130cefca2b450bc3ab111b9eb |
| SHA256 | cbf9df2ef664591ff70e68e477b50077b08fc451ac6c1b02c49187627725fe2f |
| SHA512 | a88dcf1a417c79e4c12b8401aad31ec7ba6733150d71411ecffe7d948c374c4bb931afba76d40c06201b4776e0159ddc99adcaece97d979fe59923fffbe681d4 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 325917771434da18bf8e162931acd842 |
| SHA1 | 6b46cb61a49d1d7f36d13705c65f8e17e139608a |
| SHA256 | da6fca3fb342be7ec974da072c62645177c4766d26749f7a17dd664eed141d38 |
| SHA512 | 6f58ec52a3945358891f1217bf7fd19f4753434b658ab7aff5b470669d58a2ce8c8d5c6f9ef20623e325821b90a6e3755b2000f4f7c3ab2ae51409d232f18442 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll
| MD5 | 8f01c833b571970575ba12ffa9f55526 |
| SHA1 | e36754fed61f58f6480ac7b731b7360bbc51c0c4 |
| SHA256 | 331d06e13e24adda6b4ef0a451e01a211d1ea88d6e697ffd7b9487fff006ebc3 |
| SHA512 | 5919bc7a89d47b3aa6702c522c3240c2c272becd462e34f08c9cc8f318cfee2fc89beff3bb0577aefaeadaef9e408933f6daa8c27958089af101c9af32bde151 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe
| MD5 | 27e3fe47d8ba532f2aa8e8b50b116788 |
| SHA1 | c034cda1d80b531cd02acddaef6507e75f513825 |
| SHA256 | 247bb9a3498635e6ef12c5abe53b5878eb5a2f6ca70fe72241548cb1dca59d8c |
| SHA512 | ed9b855ccf2711b79f8b17a1d25ae4e4e44288a8754de726e57dbd8c4ea481681b1ee7a79d3002cd777fe5a03a853508a9acbdec10f1012e975cd926b1dc0305 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll
| MD5 | a05345eec5a0724c78550a102593a803 |
| SHA1 | e4a9777af26a150e92d75d730344db3e30d2f481 |
| SHA256 | 4437f788b0feab37721eff4069cc42e3941e8d4e44b9d42480b9d0b3466494ac |
| SHA512 | add11102feb2b60fca720a844c75d0e80a83dddb05764ef01b9132881680e94f876a5da3ae1a6063cec45929611dacf5507a7243571f6cff7334723bc2198fd7 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe
| MD5 | 97085a8535fedbdf70dc8d0f73e8221a |
| SHA1 | 8aa2f01467572810af012261e65d5d17dc72eb66 |
| SHA256 | 3ca699ded1176b6ef25a94e3af5107604e23cc184cc08adec28181075a7c20a3 |
| SHA512 | 240909582cf3f198c5b90ea5867ec95fb3946082a0a436e132e1bfc64a898aa4380b94a7a18c68d21bcaa3b3b01bc3bfc89bea604584a54659db1f30d818f9ac |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll
| MD5 | 73b4b75e8ab57b4826ae37434ddc6e71 |
| SHA1 | 038a1746a41a040bb8a1d66de6494a1e2e2cbb68 |
| SHA256 | bf3c7d4ce50f80f2a10076f32cf9310f70ab7a847ca3cd80030c71a092e80e0c |
| SHA512 | f719714e92ccdc71ab24fe44629f3d2c95d629aa180191a67fe259c28026cce096011474361c56caad5c5f8bb4b26bcc9ec7b977e648ab16cf93b0286c62f23a |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |