Malware Analysis Report

2025-03-15 04:20

Sample ID 241026-aj54batphp
Target EXORSIST_TOOL_Vesion_2.0.1_-_Copy.bat
SHA256 4ebcc702e38c0f6dc7ad52d13ff53f376dddf4dd1cdfbfa85443327f0231661b
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4ebcc702e38c0f6dc7ad52d13ff53f376dddf4dd1cdfbfa85443327f0231661b

Threat Level: Likely malicious

The file EXORSIST_TOOL_Vesion_2.0.1_-_Copy.bat was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 00:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 00:15

Reported

2024-10-26 00:18

Platform

win7-20240903-en

Max time kernel

145s

Max time network

117s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\EXORSIST_TOOL_Vesion_2.0.1_-_Copy.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2416 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2416 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2416 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1076 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1076 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2416 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2892 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2892 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2416 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\EXORSIST_TOOL_Vesion_2.0.1_-_Copy.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cscript //nologo temp.vbs

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cscript //nologo temp.vbs

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 7bae6e6a1645b9209787794d2ed953e7
SHA1 de969410065fb5ffd46fdddc780b4d7c5102ac85
SHA256 c15c37f9ecbcdfcdc719cae2f01ff2b78e95f65b883369141ca6cd481e06f7fa
SHA512 275282f62686273cf7bdff93621328858ba6e1e5941b7de2ccb64858edf11ecea0d2d9e3bcbc3b2eff25adfe97cdfa561f7019ced033769910f197af5675d8ac

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 e5ca26ed2efd400bb1319626eadc99a0
SHA1 25c559ebdf3a492c05e120a2ad75efc9f9a5c4c7
SHA256 b8bf4092338515229da6c8876e994cda6e1399260b4be870ded3a737f6b42af8
SHA512 0ec591f8e81ea64eee866e6653a8ee6402d9bf27e50a75e3a2b371a3c57b8f48f1b3ab3c18f117635a5114e307b7e43d29d2ad5833abb37f50f7c54edfd70775

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 87af89d4af5901398792d0b2b282e545
SHA1 69d3e1d7836df841edc2bd0d22241cc9e62744de
SHA256 a76eebcbf17a9529b504d571159d2c5a7159d6bdb921e1c13a9c0e0a30409d82
SHA512 7f81fee722a7a121450455f7673b8fa4cdf9d9115dcc38f3b51b234684cac68011a041f1de8f62d641a5d55fa4f7ac4659adf0d861ada04bcc805e372e99e6d0

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 352d2073ed92bd9d618901967bef9788
SHA1 763f89dbc2627a7330cc33faa8b0dc2abc8e2b31
SHA256 31a82c8a853c05432cbbd5309be6da8f89e13f7fda3bc275bc92d9041536e100
SHA512 1357e86ba667ac4b3b81756ed7cb127a919e6a9b4ebc757cc66e51cec896084fe52bce87c6362a34a50df0153c3f53766f52edbe9e8d0b36cb76deb84f5afba8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 00:15

Reported

2024-10-26 00:18

Platform

win10v2004-20241007-en

Max time kernel

180s

Max time network

182s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXORSIST_TOOL_Vesion_2.0.1_-_Copy.bat"

Signatures

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Crashpad\metadata C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe N/A
File opened for modification C:\Program Files\Crashpad\settings.dat C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\OperaGXSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133743753801380368" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4236 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4236 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3940 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4236 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3044 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4236 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXORSIST_TOOL_Vesion_2.0.1_-_Copy.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cscript //nologo temp.vbs

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cscript //nologo temp.vbs

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium-Dark Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light-Medium Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Blue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Light Cyan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p="" :: Reset color to default"

C:\Windows\system32\cscript.exe

cscript //nologo temp.vbs

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb683ecc40,0x7ffb683ecc4c,0x7ffb683ecc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4440,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3828 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:8

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff667a94698,0x7ff667a946a4,0x7ff667a946b0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4520,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3568,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5384,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5680,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5696 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5908,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3536 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5380,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6060 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6084,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6032 /prefetch:8

C:\Users\Admin\Downloads\OperaGXSetup.exe

"C:\Users\Admin\Downloads\OperaGXSetup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe --server-tracking-blob=NWNiMWY0YzYxNzZhMDUwMjJlZTdlMjY4ZjhhODUzNTkxZjgxNGFmZGJhNGE1MGY4ZjRlMjljZjQ0NDg0OWYxZjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1nb29nbGUmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249T0dYX0dCX1NlYXJjaF9FTl9UMV9WMiZ1dG1fY29udGVudD02MzQzMjcwMTgyMDQmdXRtX2lkPUVBSWFJUW9iQ2hNSTN2LXpxdUtxaVFNVkdvRlFCaDFPZ1MwQkVBQVlBU0FBRWdMcTB2RF9Cd0UmaHR0cF9yZWZlcnJlcj1odHRwcyUzQSUyRiUyRnd3dy5vcGVyYS5jb20lMkZneCUyRmd4LWJyb3dzZXIlM0Z1dG1faWQlM0RFQUlhSVFvYkNoTUkzdi16cXVLcWlRTVZHb0ZRQmgxT2dTMEJFQUFZQVNBQUVnTHEwdkRfQndFJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX3NvdXJjZSUzRGdvb2dsZSUyNnV0bV9jYW1wYWlnbiUzRE9HWF9HQl9TZWFyY2hfRU5fVDFfVjIlMjZ1dG1fY29udGVudCUzRDYzNDMyNzAxODIwNCUyNmdhZF9zb3VyY2UlM0QxJTI2Z2NsaWQlM0RFQUlhSVFvYkNoTUkzdi16cXVLcWlRTVZHb0ZRQmgxT2dTMEJFQUFZQVNBQUVnTHEwdkRfQndFJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGZ3gtYnJvd3NlciZ1dG1faWQ9RUFJYUlRb2JDaE1JM3YtenF1S3FpUU1WR29GUUJoMU9nUzBCRUFBWUFTQUFFZ0xxMHZEX0J3RSZkbF90b2tlbj0xMjE3OTA1MiIsInRpbWVzdGFtcCI6IjE3Mjk5MDE3OTkuMTQ1MCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Ik9HWF9HQl9TZWFyY2hfRU5fVDFfVjIiLCJjb250ZW50IjoiNjM0MzI3MDE4MjA0IiwiaWQiOiJFQUlhSVFvYkNoTUkzdi16cXVLcWlRTVZHb0ZRQmgxT2dTMEJFQUFZQVNBQUVnTHEwdkRfQndFIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vZ3gtYnJvd3NlciIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6Imdvb2dsZSJ9LCJ1dWlkIjoiMTFjOWQ3NmYtMmQ3ZC00NDE1LThkMTMtOWY3YzBkZWUwMTFiIn0=

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.123 --initial-client-data=0x340,0x344,0x348,0x30c,0x34c,0x74618c5c,0x74618c68,0x74618c74

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=3964 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241026001646" --session-guid=9b28e66e-bf97-4438-8561-28c41a16325f --server-tracking-blob=Zjg4OGYwNDk4ODQyZjc2ZmQxYTg1ZDdmMzdjNzdjNDM0ZjllNGE4MzY4ZTA1MzY3ZTAzMDQ5NjFhZTA5YWMxNzp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1nb29nbGUmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249T0dYX0dCX1NlYXJjaF9FTl9UMV9WMiZ1dG1fY29udGVudD02MzQzMjcwMTgyMDQmdXRtX2lkPUVBSWFJUW9iQ2hNSTN2LXpxdUtxaVFNVkdvRlFCaDFPZ1MwQkVBQVlBU0FBRWdMcTB2RF9Cd0UmaHR0cF9yZWZlcnJlcj1odHRwcyUzQSUyRiUyRnd3dy5vcGVyYS5jb20lMkZneCUyRmd4LWJyb3dzZXIlM0Z1dG1faWQlM0RFQUlhSVFvYkNoTUkzdi16cXVLcWlRTVZHb0ZRQmgxT2dTMEJFQUFZQVNBQUVnTHEwdkRfQndFJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX3NvdXJjZSUzRGdvb2dsZSUyNnV0bV9jYW1wYWlnbiUzRE9HWF9HQl9TZWFyY2hfRU5fVDFfVjIlMjZ1dG1fY29udGVudCUzRDYzNDMyNzAxODIwNCUyNmdhZF9zb3VyY2UlM0QxJTI2Z2NsaWQlM0RFQUlhSVFvYkNoTUkzdi16cXVLcWlRTVZHb0ZRQmgxT2dTMEJFQUFZQVNBQUVnTHEwdkRfQndFJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGZ3gtYnJvd3NlciZ1dG1faWQ9RUFJYUlRb2JDaE1JM3YtenF1S3FpUU1WR29GUUJoMU9nUzBCRUFBWUFTQUFFZ0xxMHZEX0J3RSZkbF90b2tlbj0xMjE3OTA1MiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyOTkwMTc5OS4xNDUwIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyMy4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiT0dYX0dCX1NlYXJjaF9FTl9UMV9WMiIsImNvbnRlbnQiOiI2MzQzMjcwMTgyMDQiLCJpZCI6IkVBSWFJUW9iQ2hNSTN2LXpxdUtxaVFNVkdvRlFCaDFPZ1MwQkVBQVlBU0FBRWdMcTB2RF9Cd0UiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neC1icm93c2VyIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiZ29vZ2xlIn0sInV1aWQiOiIxMWM5ZDc2Zi0yZDdkLTQ0MTUtOGQxMy05ZjdjMGRlZTAxMWIifQ== --desktopshortcut=1 --wait-for-package --initial-proc-handle=3409000000000000

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.123 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x71e68c5c,0x71e68c68,0x71e68c74

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x504f48,0x504f58,0x504f64

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3352,i,10538514406117971467,5210629986078002979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3904 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.36:443 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com udp
GB 142.250.200.10:443 ogads-pa.googleapis.com udp
GB 142.250.200.46:443 apis.google.com udp
GB 142.250.200.10:443 ogads-pa.googleapis.com tcp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 dns-tunnel-check.googlezip.net udp
US 8.8.8.8:53 tunnel.googlezip.net udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 194.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 157.34.239.216.in-addr.arpa udp
GB 142.250.187.206:443 play.google.com tcp
GB 142.250.200.10:443 ogads-pa.googleapis.com tcp
GB 142.250.200.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.206:443 consent.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.36:443 www.google.com udp
US 8.8.8.8:53 www.opera.com udp
DE 52.29.82.213:443 www.opera.com tcp
DE 52.29.82.213:443 www.opera.com tcp
US 8.8.8.8:53 www.googleoptimize.com udp
US 8.8.8.8:53 cdn-production-opera-website.operacdn.com udp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
GB 142.250.200.46:443 www.googleoptimize.com tcp
US 8.8.8.8:53 213.82.29.52.in-addr.arpa udp
GB 142.250.200.46:443 www.googleoptimize.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 193.217.199.23.in-addr.arpa udp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
DE 23.199.217.193:443 cdn-production-opera-website.operacdn.com tcp
US 8.8.8.8:53 232.179.250.142.in-addr.arpa udp
DE 52.29.82.213:443 www.opera.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.200.46:443 www.googleoptimize.com udp
US 216.239.34.36:443 region1.analytics.google.com udp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 ade.googlesyndication.com udp
GB 172.217.169.36:443 www.google.com udp
US 8.8.8.8:53 11199305.fls.doubleclick.net udp
GB 172.217.169.34:443 ade.googlesyndication.com tcp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
GB 172.217.169.34:443 ade.googlesyndication.com tcp
US 216.239.34.36:443 region1.analytics.google.com udp
GB 172.217.169.34:443 ade.googlesyndication.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
GB 172.217.16.230:443 11199305.fls.doubleclick.net tcp
US 8.8.8.8:53 230.16.217.172.in-addr.arpa udp
BE 74.125.133.156:443 stats.g.doubleclick.net tcp
BE 74.125.133.156:443 stats.g.doubleclick.net tcp
GB 172.217.16.230:443 11199305.fls.doubleclick.net udp
US 8.8.8.8:53 156.133.125.74.in-addr.arpa udp
US 8.8.8.8:53 2.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 autoupdate.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
NL 185.26.182.123:443 autoupdate.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 api.config.opr.gg udp
US 104.18.24.17:443 api.config.opr.gg tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 17.24.18.104.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
NL 82.145.216.23:443 download.opera.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 2.18.27.87:443 download3.operacdn.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 bat.bing.com udp
US 150.171.28.10:443 bat.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 c.clarity.ms udp
IE 13.74.129.1:443 c.clarity.ms tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 c.bing.com udp
US 204.79.197.237:443 c.bing.com tcp
US 8.8.8.8:53 b.clarity.ms udp
US 4.153.129.168:443 b.clarity.ms tcp
US 8.8.8.8:53 1.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 168.129.153.4.in-addr.arpa udp
US 8.8.8.8:53 87.27.18.2.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 www.google.co.uk udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 142.250.200.3:443 www.google.co.uk udp
US 8.8.8.8:53 b.clarity.ms udp

Files

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 7bae6e6a1645b9209787794d2ed953e7
SHA1 de969410065fb5ffd46fdddc780b4d7c5102ac85
SHA256 c15c37f9ecbcdfcdc719cae2f01ff2b78e95f65b883369141ca6cd481e06f7fa
SHA512 275282f62686273cf7bdff93621328858ba6e1e5941b7de2ccb64858edf11ecea0d2d9e3bcbc3b2eff25adfe97cdfa561f7019ced033769910f197af5675d8ac

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 e5ca26ed2efd400bb1319626eadc99a0
SHA1 25c559ebdf3a492c05e120a2ad75efc9f9a5c4c7
SHA256 b8bf4092338515229da6c8876e994cda6e1399260b4be870ded3a737f6b42af8
SHA512 0ec591f8e81ea64eee866e6653a8ee6402d9bf27e50a75e3a2b371a3c57b8f48f1b3ab3c18f117635a5114e307b7e43d29d2ad5833abb37f50f7c54edfd70775

C:\Users\Admin\AppData\Local\Temp\temp.vbs

MD5 87af89d4af5901398792d0b2b282e545
SHA1 69d3e1d7836df841edc2bd0d22241cc9e62744de
SHA256 a76eebcbf17a9529b504d571159d2c5a7159d6bdb921e1c13a9c0e0a30409d82
SHA512 7f81fee722a7a121450455f7673b8fa4cdf9d9115dcc38f3b51b234684cac68011a041f1de8f62d641a5d55fa4f7ac4659adf0d861ada04bcc805e372e99e6d0

\??\pipe\crashpad_1624_YJIKERSIDOZCHYIA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 8f45c76170ac49113d3a765ea0739aa9
SHA1 b6fe13042f81819eee28a736448248ba25d92a53
SHA256 745ff83d8cb04a76a85cbe1f68a74b6518293eb09cee2a9679119b477d8ed6b5
SHA512 d3ee44ebf6dda4e4888007d81852168d5e68e7a1e7e5b6b0dcd9f64cf2e327e6f5be11823028b42f7706ff67edef8bef5c23fc4aa3a8afbcc884397c2da5ad9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ec63aaea912351c182b2189ec647c135
SHA1 c4271349efeb27dea0512405fded1b9006fa539f
SHA256 9a30d047950f419202091c484418397b3f72165c8be748b737579b5e5c006e42
SHA512 045675c5e2aaafd61c75785bcd2817a60bd4f9e6d70929fb1a0112e792c45ac23fe7a2784d6df33895d64dbcab27a8ce6fc7fe5b28d226ae9bb9d07f696a524e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 80d786626398b05ba5926bc17d17c7b9
SHA1 9673108061294ce3a8bd45250fe2c8df821ee90b
SHA256 61779e5f331e7e429b38be942671ba9b1a025f14ef61678e0c3eeb3412ec2019
SHA512 8b6a34646d825494e9c74a6eeffb4ec512e5bb1d96fed54ed0b4a0fae4f8e0fe28d11ce127c8ddff8d7a4e836d64362cc1059bb8bf0b8d4b49f618f85d31a5fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 356b4371399e3fc9a5865bacbd6b24c1
SHA1 671d845179a27b6c099a98e410fea0d1caae6cb3
SHA256 f859591c33f6ad3799a1b59a824fe9f03ad331b7189b8836caf75bf4afd3a254
SHA512 4e6085b93d4d43f77120955161c15b4df59022dd2f06a4df5a796efa4d6a8b1cfebe167c11dcb64bf59582d736b00ae771170c2338e28da686591eb0fb02dda8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6285e9e6-4607-4e33-a6ca-5a837e0360d6.tmp

MD5 7254eeb214a4c5c11c3cf5189d091cbb
SHA1 a5ff24547217e36673036ad47a05b346b69e4e0b
SHA256 a861cfc9e7ce892dc91c09ea4af767c2ebc3e0296864d93143aaca9ed28a20fe
SHA512 d96697ea9f75e0a3268dcd4caeea06492f7a09fe8741202f27b9e9feab8a6437b23e2bed73ee8c29c4fba33e162ac277cbf4f39bcb3b097a03d8855c361aeaf4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bf0b29998b7e5785f4b627cc11e67e44
SHA1 20d471fcdde51e9dd3bc148284897911a9dd7b1e
SHA256 e5ad851995ef23ac47f118eb9b26f06b22ff81fd6e7eec4485551ef9cd70cd7a
SHA512 6f9b54cd54e73505222b90fc56039b3e9ef55ee3d9a4c320e41498a46ad41be7e082315b667dfb6a0e3cf2852ce3d58d9e814589409363d0c1385b93d1ef5a06

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 99001433f4ec94a227a13988af8c440b
SHA1 cca00c1db5b2820bfff33b95f85e9d8b35cd7317
SHA256 b390d1130eefb97f57e478e610dc76c32e946ab9ed9cb04807b01aed33aeaf58
SHA512 069014c89425a74d98c0a5230433f891e4b5af2168468a158c15c526741481a2099fbf251b8bf54fcff1defe244761c9f4fe9ff7f6589bb05a67b2406e101b3a

C:\Users\Admin\Downloads\OperaGXSetup.exe

MD5 3988e546df890d076a0962a46ed061ce
SHA1 5d1cd8a6ea3e3d3f00c427e0c83981b95ced4f7d
SHA256 86b6ecd1042c5057a783c0113540a6ed6adad29842b70ba7062f3b09a281f697
SHA512 8ac5fb5be71f36e1124e608f5a1160615506102791be46155bbaaf110cbf0cf2359b403ad76029683530a0f57249005d8c6fb864e526a77ee84d235c995ac93f

C:\Users\Admin\AppData\Local\Temp\7zS47D733A8\setup.exe

MD5 a910474aad1eea96921d359e1763d2fd
SHA1 8f663c05861ce93a1418607bd208c21dc7263237
SHA256 5354a7fa4ef330546d79e1ea02c456084400d0b47d52aaa43b088340981f461e
SHA512 8654f3c5eb98dd4097ed5367771f2f3487a4c90f95754ca39b8900ab52c2c78ab6f90da339c1cce06364ca242d49901a7ebbac92cf14955e3a267ea988c194e4

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410260016457963964.dll

MD5 94a99783bf5a9aeb8a0c8adcbb144ac8
SHA1 f5682606d1a3774a44d58a42391533899578897b
SHA256 5d8acd8032a3f3147b50e88dd1141312f9232f46ee0cb9487efae3c23545a0e9
SHA512 f545d11b103b79a00f8118000a447b26f76520f9ae4c4e78542237eb11b931b98900f62065ae3fbff747a79d6954d15a7ccb123b2adcfc81df71c17a6cf840a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4d072f03733b95b487d5b9e85d1735e8
SHA1 1fb425109aed3d36a368ef695c8817cac87cc9ed
SHA256 2a3bfe51128bc8521b717488257d40f48f1ecd81ed952413516464f6580dac64
SHA512 bacd051ae1be49607fb36e4a3f9d4a7d869c2bbd54af56745627cf37ff0f26547b19e23de36939890e0e21623b52212dbfdbc9d3f7b769d570fc3c4ad8465187

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fc8e6a2144f2f85090a51f611ed82514
SHA1 08823453a85d7a407287f507b5460ea05dfe252b
SHA256 4c3388aea955a9987013328a507c958a445a8c017005d9611f5757d0f1901c19
SHA512 59b511391ff6e48b451b352f0bdd299e89db0677bb52d067474556782a7de0907c2cdc5d6db22a9766c57260916a5e59e3a17e12a52fd6d1140ce7123296aa3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 4e96bf0cc6f25b8ab0eaec303e3da46f
SHA1 9d784d29ab5b432d9e420a377dec3598f3a21db2
SHA256 17b3440d2feb5db4df0bf072be001a4fe1c743011ba170ec50d156127111684b
SHA512 03c053b2ca7102d5195b3dc00ce6942c6e65372d4f251c55ea5ede34ec00f8a846d970b79db390eb990f67f3b05b001d7e408a46ab2f22b0e6805360ba4cf091

C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

MD5 0c0268c02731a937fbf109658a28314b
SHA1 ba591ad64df6b651ae3583b261a48f57bad46bbd
SHA256 82531fca51cd3efbad6d29ab4f26627bc04ea6b804a6c0a386e63f03206d6b33
SHA512 bd15169b756619e7b8a290957706c4d8eee55438f559ba999a8bff372dd66c233c0b129c6053d6fba8f5ed96d676e2805e7eeb1e00307b7874fa481576ce2003

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c6daa6dc51535ec52da0c971fb2a3db8
SHA1 608a1da1872ed5f9b5edefad5b9160c637645fcd
SHA256 25c9bd5b2805a9c618a0f0d69a61b011fda6aecec341bccf9b5ffdab529f1535
SHA512 5f6bb5ebe815d3dbf30647c615b5d6d72cc860da85a4bdd42b7e6071ceb69543a716bccce87f937ca9399276ef3afce5244e302a4273e6b8af866c49ecbbdee9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a25d7441d410798b4afe083901f77be2
SHA1 6e3d6604bf74292d182d9814c8b2048f3427f144
SHA256 208e1f2c2e2cbd1cafe3f01f59523245b9fd6169eeba96f11c4983a1b3ddc23c
SHA512 4775408cee0322ea0fba52b5aad45a6d4a763fad83f44e7fb233322fa94c2a830ad51cdd512860b0199b3c0514fb03431575f906ad3c8fbc122343d37165f075

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 53db0334885f01c84d1efd21dd4e3a60
SHA1 23f138948607624b178b62787d5c52aac361127a
SHA256 b7ac85668bdbb3053b4aae50aeaa66ec76b847e23a97c3161bff6dab6ef92342
SHA512 f4144ae53bab76b6d6b835bec69d799a00130740ac881589ee1fad6c84ed3f6c2cafbac121e81323d34ac13fafa72bf53b6665c17cd4bd41aa3ebe75234a6906

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\additional_file0.tmp

MD5 e9a2209b61f4be34f25069a6e54affea
SHA1 6368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256 e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA512 59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202410260016461\assistant\assistant_installer.exe

MD5 4c8fbed0044da34ad25f781c3d117a66
SHA1 8dd93340e3d09de993c3bc12db82680a8e69d653
SHA256 afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a
SHA512 a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b83619de654ab1923800ab258460fb57
SHA1 0324213b8c0c3a5eb6a928de7f17625daf7c1f9f
SHA256 71a465155b8c84aec2e6f16726f4b327990f7b4456211e9d5042f7aa21a68c80
SHA512 903fbcf3feb5a31e1d5e8bb405b9438a46e2ee5083b328bbcd18ee840c2742c32abff841b99393849f85ac5375c1dc760cef209b581fd998250a7542704a40d1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 807aa4795cb77a2a3233caaca622ee74
SHA1 d86688c87a7b009be0117658e66f3eb670be3395
SHA256 34fc365e3f8887003a7e45083e80d920bd218d0d599265f681dc01bcffb084f2
SHA512 3c36a1c4f085d300759018601f59a955a3557680559362099b8d7851a4bb7a0ce3154e80e6b389d5df191557e997a12a96059b4da9e584c9b3d4458ecfac7204

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0eb98a618b16f5dbcab31c239af5e3ec
SHA1 b443cbad4afeca9a3484f46b5397e50eb87fb071
SHA256 bec428326743ddae5c2a9a86fad04ed0a25f6e53aaf3ac17a94ea7582ed3dd6c
SHA512 ad2052548f8a6c5fc50f28d3015f1aaa959adedb26f0a2950f7422f0a267764e7e7a1d957ec87c7e8dda86b7e12f65f865c05338efaafc56dcd5a4b0dd23371f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\105208e5-1d2b-4894-9d80-69c1c8b19e0e.tmp

MD5 f62a08e333a2196e6c6d6ef4c6e9bbc9
SHA1 55c39ba720ec85eccb8837436d8a0b17a6126803
SHA256 5bf2cdfa6be953bff0976b7168fa8d1d52e9e75684d2f8c8c20f38998d901d42
SHA512 9521b604ca533eeb3859d3b78736c676518fd0f01a6fbd61beec08bb5eeb1c4e49d20545b12b768ec47d1429bf07a5c44b503cdb5b288c6053b8d1d8d7013583

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 01a5b9c55cb1382ce0cf18d32724426d
SHA1 a27f0067c3a912e68bc864ee59f5ea90967f4274
SHA256 333da0d58871154fb3bd077f9d6ddada27226a31144d20bd693c2a2402f404e1
SHA512 7bc1137f3697d9398126cd56193ff013e77ae814d7ba0dd9413980bee0c6231594f368a079801f7a083fc8d9a3d4a5920613342510690fa2ba142d5d2002db58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 270b84df333ca9210c48c3da44b7fe7d
SHA1 495ef9b85b2a8cb85e1619323cc5bb5756470f6e
SHA256 87afc8cb3d36e88318c045279fca0363a624404a79ba6d5ffeef6c4d2e7b97e2
SHA512 7995d3cc3b01612b8a89b267b1bb31ea1607d69d65cac9eb8de605b7c45cd9d3f009395109038c4742988bf3f358b6bc6bf52ff2e67b59fd175e5f1b6ef151c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8572f539570d182551e20e5cf8c9d8f4
SHA1 c410ed9ceac3f1bddb3f2608690c14233ef759bc
SHA256 5517b8d7bc8863cc4eeb4d32942a3fefc8a92df74cd1e176e91207eb49b5802d
SHA512 fe71ae913dfb96b4271e53a290f83433729672518bf9d67be938107fbe67b64861aa6f4c3a1d775844965b381bb3cb62ccf0987ba8ed9249850c2ffa902158dc