Malware Analysis Report

2025-01-22 08:35

Sample ID 241027-r1xa6swpaz
Target ExLoader_Installer.exe
SHA256 07f61f7c87bdeacfe34388001489136c563f55891d1a7e4481048b0e26e888a4
Tags
discovery execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

07f61f7c87bdeacfe34388001489136c563f55891d1a7e4481048b0e26e888a4

Threat Level: Likely malicious

The file ExLoader_Installer.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution spyware stealer

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 14:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 14:40

Reported

2024-10-27 14:42

Platform

win7-20241023-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

MD5 b51f61c70894e92875d5530d0f553067
SHA1 6cfe241ad503445443463faa5f869e0ec9cf0cb5
SHA256 0cb547550924bc73727d60885a82df098ead1eddb37f39b32dd46eac8e83db27
SHA512 e8ed6fa9f10dbad7cd7e420aecf655079cb04d59229b8c014eec2cdae545de16566f8c784786dbb98e2c12f3f3bcdbba2d78445fed14807ec154bea0ce653ccc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

MD5 d663c9eb379f0dfa6115dd1e669b761f
SHA1 fa9fea1bb8a0db94a1f6f9679cc7ef5acdbdc6bd
SHA256 4bd4bab764eadaa9da230407be3fa9c0522b2bbc3dae60593beb9a0984f35138
SHA512 c154b5c2975797d2faa33a31a2612cdd446a149144a7d055323a0c49acfb7cd8dfb815640d68c5de61ce471c6038ff3390d44a801f9dc970b573ef2ecc67f7d5

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 14:40

Reported

2024-10-27 14:42

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\arrow-down.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\cat.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\stars.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Fortnite_press.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\alien.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\bank.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-check.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\ExLoader.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\checked.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\information.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\pause.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\resolved.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\translate-not-google.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\vcruntime140_1d.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Fortnite_hover.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Warhammer.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\favourite-add.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\library.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\shield-exclamation.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\folder.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\optical.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\libEGL.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\installer_logo.ico C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\admin-panel.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\windows.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\media_kit_native_event_loop.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\user.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\vccorlib140d.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Standard_hover.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Anime.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\collapse.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\day.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\safe-shield.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-debug-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-processthreads-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Steam_press.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\SummerStart.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Medium.otf C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\simple.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-datetime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\NewYear.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\logo.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\resume.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\msvcp140_2.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Steam_hover.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\calendar.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\geo.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\space.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\d3dcompiler_47.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-synch-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\vcruntime140d.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\halloween.ico C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\checkmark.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\directory.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\puffer-fish.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\window-minimize.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Fallguys_v1.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
PID 2808 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
PID 4808 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4808 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4808 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Program Files\ExLoader\ExLoader.exe
PID 4808 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Program Files\ExLoader\ExLoader.exe
PID 4808 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
PID 4808 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
PID 4808 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
PID 4316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 4316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 4316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 3616 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 3616 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 3616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 2840 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 2840 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 2840 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe
PID 3616 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
PID 3616 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
PID 3616 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
PID 3616 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe
PID 3616 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe
PID 3616 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe
PID 1740 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe
PID 1740 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe
PID 1740 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe
PID 376 wrote to memory of 4476 N/A C:\Program Files\ExLoader\ExLoader.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 4476 N/A C:\Program Files\ExLoader\ExLoader.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"

C:\Program Files\ExLoader\ExLoader.exe

"C:\Program Files\ExLoader\ExLoader.exe" -deletePreviousExLoader

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe --silent --allusers=0 --server-tracking-blob=Y2ZiNGZkNDY5NTQwNzM4MjYxNzExZTZhY2M4NWM5OTE2YWNkNWEyYjhlZjFiMjFmMGM1ZjUzZGRkMzE0OTJlNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwidGltZXN0YW1wIjoiMTczMDA0MDA3Ni42MDg1IiwidXNlcmFnZW50IjoiRGFydC8zLjUgKGRhcnQ6aW8pIiwidXRtIjp7ImNhbXBhaWduIjoiTkVXX18xODIyNmEiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJPRlQifSwidXVpZCI6IjA1NWY4NGJmLTBkNjgtNDE4Yy04NjU1LWQxNjA0NGZhNjI5NCJ9

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.115 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74adfb14,0x74adfb20,0x74adfb2c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3616 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241027144121" --session-guid=a3b01f07-fbd4-45bc-9863-d783e463220d --server-tracking-blob="NjE0ODgwZTgyMGY2YjM0YmY5ZjAxYTI0NjZiZDliYjJkYTg5NzdiOGU1MzVhZTE4ZGRiNWEyMjRjMWRhMjU4Mzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMwMDQwMDc2LjYwODUiLCJ1c2VyYWdlbnQiOiJEYXJ0LzMuNSAoZGFydDppbykiLCJ1dG0iOnsiY2FtcGFpZ24iOiJORVdfXzE4MjI2YSIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiMDU1Zjg0YmYtMGQ2OC00MThjLTg2NTUtZDE2MDQ0ZmE2Mjk0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=E805000000000000

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD069478\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x72ebfb14,0x72ebfb20,0x72ebfb2c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7c17a0,0x7c17ac,0x7c17b8

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command (gwmi Win32_BaseBoard)

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.msn.com udp
US 8.8.8.8:53 meteum.ai udp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.msn.com udp
US 8.8.8.8:53 meteum.ai udp
US 8.8.8.8:53 search.yahoo.com udp
RU 213.180.193.146:443 meteum.ai tcp
IE 212.82.100.137:443 search.yahoo.com tcp
RU 213.180.193.146:443 meteum.ai tcp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 36.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 146.193.180.213.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 data.exloader.net udp
US 8.8.8.8:53 data.exloader.net udp
US 104.21.16.53:443 data.exloader.net tcp
US 172.67.210.30:443 data.exloader.net tcp
US 8.8.8.8:53 53.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 104.26.8.44:443 ipapi.co tcp
US 8.8.8.8:53 cloudflare.com udp
US 8.8.8.8:53 cloudflare.com udp
US 104.16.133.229:443 cloudflare.com tcp
US 104.16.132.229:443 cloudflare.com tcp
US 8.8.8.8:53 44.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 229.133.16.104.in-addr.arpa udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 api.exloader.net udp
US 8.8.8.8:53 api.exloader.net udp
UA 91.231.182.13:7777 api.exloader.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
RU 213.180.193.146:443 meteum.ai tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.msn.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.169.36:443 www.google.com tcp
RU 213.180.193.146:443 meteum.ai tcp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 13.182.231.91.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.opera.com udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.123:443 autoupdate.opera.com tcp
NL 185.26.182.123:443 autoupdate.opera.com tcp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.24:443 download.opera.com tcp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

MD5 b51f61c70894e92875d5530d0f553067
SHA1 6cfe241ad503445443463faa5f869e0ec9cf0cb5
SHA256 0cb547550924bc73727d60885a82df098ead1eddb37f39b32dd46eac8e83db27
SHA512 e8ed6fa9f10dbad7cd7e420aecf655079cb04d59229b8c014eec2cdae545de16566f8c784786dbb98e2c12f3f3bcdbba2d78445fed14807ec154bea0ce653ccc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

MD5 d663c9eb379f0dfa6115dd1e669b761f
SHA1 fa9fea1bb8a0db94a1f6f9679cc7ef5acdbdc6bd
SHA256 4bd4bab764eadaa9da230407be3fa9c0522b2bbc3dae60593beb9a0984f35138
SHA512 c154b5c2975797d2faa33a31a2612cdd446a149144a7d055323a0c49acfb7cd8dfb815640d68c5de61ce471c6038ff3390d44a801f9dc970b573ef2ecc67f7d5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

MD5 e9b690fbe5c4b96871214379659dd928
SHA1 c199a4beac341abc218257080b741ada0fadecaf
SHA256 a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8
SHA512 00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

MD5 eb49c1d33b41eb49dfed58aafa9b9a8f
SHA1 61786eb9f3f996d85a5f5eea4c555093dd0daab6
SHA256 6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e
SHA512 d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

MD5 c3d497b0afef4bd7e09c7559e1c75b05
SHA1 295998a6455cc230da9517408f59569ea4ed7b02
SHA256 1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98
SHA512 d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

memory/4808-654-0x000001509DB10000-0x000001509DB11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

MD5 7df61aef9229d290236334ab4e05533a
SHA1 a8191541becbd4e13bd2d92366cc836dfcf2fefe
SHA256 83f290ed77bb39945aa08b12ee81ef6914369939f643cc6194df544d9a683c23
SHA512 2036735e5c698e1cace8e7a5bc653e1f2e5d1b9c84c75dd7868807abfdce417727cc2ba12c13599e5c9a8460fc6d95e53fbe358329b4752ece105efce9421388

memory/4808-655-0x00000150A15A0000-0x00000150A2331000-memory.dmp

memory/4808-658-0x000001509DB20000-0x000001509DB21000-memory.dmp

memory/4808-656-0x00000150A15A0000-0x00000150A2331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

MD5 692337664e861ad322138061132dddc6
SHA1 8a99bc860eda0772f3b1f4a125fa4d474410e21c
SHA256 c12537022ef818991a7bfed41a76d8d6ae962ffbc0e6511ac762a5d0845e7f7c
SHA512 3e2e6adb651e37e530734f999634d7c101fa1c45ae380be8ad169bbfb0a047f2878ff6c8d1428d6b9e7301b447ab2f8839484322ddb3831984be71d442829a55

memory/4808-657-0x00000150A15A0000-0x00000150A2331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

MD5 fb1230bb41c3c1290008b9e44059dd39
SHA1 66493d0f8a6a112d8376cd296b05c277b111dca1
SHA256 2429b610ba9010211d18626d311d3dea7274473c2dd50fae833ed739b67b1292
SHA512 d5ae9b9124a7c7f8c3d04c4750459c9bc620e3aeb84f5d56a64308eb9b343d4fb62f8b3e03210e04ad90b91bbbb35dd1a56148d06dbcc0872f99e9b1b9d37c7c

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

MD5 9b4a9a01537d3102a49bed8b79baf18a
SHA1 525c4453063c7ccef962feed5b30c79cb14bf5be
SHA256 662e7dc27fc08d39ff4534582bef11880d79bced4741c1c421f620aca197050d
SHA512 1f41db943b914f13197179b047dd4cb24158f7e2bd317a78445ef058b401270e0d13e05ebd78af8792310dc0b7323b2b9d85167658acdf691e8559cc66342030

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Bold.otf

MD5 e57b6bc24b970a377574124e026a7c01
SHA1 00184aedd4ee4d2ca6b5c87cf41e78f64304c89b
SHA256 b012d85155925bbe2106b20234b96522dec7914f03b09bc6e2fff71554f31bf6
SHA512 c162cd8a7130d2c94dac5c3dad58794f368436cbf782e8063c245d4cae405af6aa25c2f381549defd520c3f7cdbc04a27f891798697e9c291317d3b3ba82efdc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

MD5 7f8d672a2849987b498734dcb90f0c51
SHA1 e53b9319bf964c15099080ac5497ee39f8bab362
SHA256 4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4
SHA512 b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\window-minimize.svg

MD5 d47255b6d3e685cac4804eb58207d0b6
SHA1 7fe02211cf6b77f3971522a3b3888460491ae153
SHA256 29bc4875912360fac26586adaca21449026cc2cf6479f9d9bbb066abe2dd2640
SHA512 b39c96fd2479585b32146a3b33a5419f665391f1b1857b08896c8254b48fdb733551bd9974a3c7dcfb679cbb5b35ed9b8f538f5c44156d399b02b8d0d4fe95ef

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\cloud-off.svg

MD5 e99140f842b471d330fc27cd73817c4c
SHA1 9957147463f586824b65bc7bfb121d33a9523a96
SHA256 0f4cb470185e3c6c26ae033a3a88e3995340bb08a63432dd9ebb82b73dd665ae
SHA512 f579aef41980539675609c62ff4d80dde22bad59917d439dbd4d325173bed3f24534a72e9903aef58c6ee5d4b03fcb7d0a7be8c93c35da6dbb2e1e046b7da0f2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Medium.otf

MD5 df63e8855d04ab0e25d2bb6a0b1fabfb
SHA1 5512dc285f36cdf7da5ba5eabaca128ca3442537
SHA256 a728e91375dcadbdf6ef6d7e3cd0bbf5c56fb992d5b1be6640b83214c9d015ed
SHA512 eba8afd3289089841e4eda4abd992c2e2020d18d44741733b5a51a2a1e0c0982ffd9da187aa56ba3b891bc259398ec156e08e45265f7218e87eb914794ca69d6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Regular.otf

MD5 d969db6adb881f1dfa91a5b7ec0154d9
SHA1 d7b44b20eb246b0ff5c41147c0d0fb96fde47c48
SHA256 c7fc6d9f2ff611073fa09a6c61a8c086da0ebe8da841a9f4ec4087a3e9b52152
SHA512 2a225a8c12b46aa14e14dd547c6a55c80aef6bfe8cc791dcf60a14ef91994eddc4dec473d856f7c2446d62a41d017d256b64b603d87ae45e75fdeb2230deb5b2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf

MD5 5177edfb54762b59df676052d11b363d
SHA1 fa18815bf4914b93d587c2758b65e234ad51b38b
SHA256 50000ce2f0f8bf3018f1d04aa5c6716583b808ca05c802c46a9de4f084a91f7d
SHA512 7475fe248eafd528a05acab94f3973eeeb0d169203769ee6b42d007b5fa0605a58a290e145d74d57e17486367bacffed22e4a88e576fa9f65d000e487aa78e27

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Light.otf

MD5 d10d77b03ba3abe6ccc1c142d9852595
SHA1 6108edf0cfb3d5f25e3c593949c301c5c2aa5f25
SHA256 3c9ef459625f995c62b993b64da299204b741e153ba8e6d988463aaa86b1aa44
SHA512 71c4fc3b6f43b4125c5ea5ae09297d72446de81ffc2928fee33aef386754e60dab11cc170c4d6689dd6eeac451f2a57b9d3372278f750dca6ed39ec82fcf9368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

MD5 e6ee07a908803b70dcdf31271bbc05bc
SHA1 4328b159cebeae8594bda27a63617e2cc7626bfb
SHA256 5bc7d9a70129040cb1a99067d26a8a74f1679b345ae7e7fbd6c71d26a97e2688
SHA512 53293ee1c663824b3170b994209ad034024df9d77fb782b13a9c104c8dd89316c2fa18fc3b7e106260b3ef3e4d9a54b8b110aad52f5defd01abf5a370a4855b2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

MD5 3577f702479e7f31a32a96f38a36e752
SHA1 e407b9ac4cfe3270cdd640a5018bec2178d49bb1
SHA256 cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2
SHA512 1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

MD5 babd1b019be8944f7ef6c64c8194bc8d
SHA1 702a50d3e3a0933db4dc1f37423bca3b5c52acde
SHA256 71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76
SHA512 6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\folder.svg

MD5 50cecdece7b4bc925f5d0ee89b23f203
SHA1 dac0f01235ed5abd451b5ecd342686670a51a906
SHA256 be467574fdcd107ce7a0e7f7036a5c97a8073c77caafc3cc414da5335723cce3
SHA512 9ae7491302fcaa7426f944ec0658d05a32bf29601f8613828a2a00f9ebbdc66cd6b7f3d03abc9030e907ea057b623bc075319ccd2546430b92a3904e4cc4ef2b

C:\Program Files\ExLoader\ExLoader.zip

MD5 80ba1918c86ff857cedfcbdce0883ee5
SHA1 a9aa8fcb6dbaf13b0a09fbc68462f53da405ec86
SHA256 8dd9076eb10f30bf84f15d61ea4d23fb73da1eb6cb4e23d6f034eb2f5ef67f11
SHA512 1abdcfc9abbef3f42d8b812935574e82c7c434feb0d97d37fbb5a9a66b7f9d9e10b343e7fd92d1e74640ea384469263b879f8207459cca880614d00979563a9b

memory/3528-981-0x0000018FE4D90000-0x0000018FE4DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zp3sjk5o.lp1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\ExLoader\ExLoader.exe

MD5 84ea03c937b6392604c490ab5edaf5f6
SHA1 d4b03a34a40b7daa991effd4cca09b752eb9a212
SHA256 f22c185d73b30fdac30ce8dbec11001530908fcab67f8219bfb370ecc703e7b0
SHA512 f104e15cc2720f12691c17e396ade130260737c856c3672f9c14d5782bbebd8452bbf80fa76ad1fec7c4745eb837834dcd484b50e79a502c97b39bac910b2d0c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\fonts\MaterialIcons-Regular.otf

MD5 e7069dfd19b331be16bed984668fe080
SHA1 fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4
SHA256 d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453
SHA512 27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\arrow-right.svg

MD5 caf3668c9e2b82819137f778b10f04f9
SHA1 a3713391b4ce86c084f1981851cef5e76afc71aa
SHA256 92b25cb5172f158b02e577ad36c7de69fd277378cfab9c8cdc7e639b16c03433
SHA512 0b9bf756c36026d853ba5809819f29c308ba15149debc75d04ac5cc2eff4f6c59f3a1da2ac50f268c7751243f96d3c3eb707a16ec0b1ac14fa49199a284826fa

memory/376-1012-0x0000017F7B960000-0x0000017F7B961000-memory.dmp

C:\Program Files\ExLoader\data\app.so

MD5 87b45b431b4b2af858e25811dc5e149c
SHA1 6f0089031d375b4dd005a991081b70d9c906980b
SHA256 24d8299cfbd22120e413ba719fe48cb089e191e62e72f8adcf5e6a75d66b56e5
SHA512 8337d083fe060cacdfb95c3e3a449af915797f7875822da9b8a38cc8150bb7942c1fd6321f9e10f614a540ef7d080c7466cf9187fc2e4f8d0c14e31467eb7921

memory/376-1016-0x0000017F7B970000-0x0000017F7B971000-memory.dmp

memory/376-1014-0x0000017F7DBC0000-0x0000017F7E9C9000-memory.dmp

memory/376-1015-0x0000017F7DBC0000-0x0000017F7E9C9000-memory.dmp

memory/376-1013-0x0000017F7DBC0000-0x0000017F7E9C9000-memory.dmp

C:\Program Files\ExLoader\media_kit\permission_handler_windows_plugin.dll

MD5 35a8dc0fcc0ca96d92b10c70e40f6f5c
SHA1 e9e0e667d2530566711322ecf345347740a454f3
SHA256 75e463b880d3d7e39b6e0dfb91655c12ee4cfed541ab508d62171b838c23ef20
SHA512 ac33cc2542d971d968bc826d33b192f5946999588ee7bb0877a3552a170b6fa7c6cdb84a26eedbafdab6b494bb06d2dac7b422b559e23a66d63c7d593b75e1b9

C:\Program Files\ExLoader\media_kit\url_launcher_windows_plugin.dll

MD5 c282961d0ee54d3bce4c6c5aaaca67c4
SHA1 7eb852770adbad22a3c1555d276ac33891110059
SHA256 09eff22f87c1cb7fc0306f04b2a0ef176c73c47e248c9643788d078d616d2f42
SHA512 fb57893d9f681d6f7dbdfb4540eec063b35f14278ac35f526b9a8c3cfb107a6538092b1ea445d7340c203b25d3c4e567efddaee9dacf53486d53abb0aa282c2e

C:\Program Files\ExLoader\media_kit\media_kit_native_event_loop.dll

MD5 b696ec60ccfc71a46a9665ac93421867
SHA1 be7cb6606be00e83d52b05fcca9d3de4f8d9d059
SHA256 f7338b228faf8818625c7299f44226328e6f5b7001b8e6fb0446ddeecfaa8443
SHA512 6ce0eed198b178d5c5944488f92cc700a9efd6f3bc57a3b3093993a74248544b2ae1f63ee0aeb5d6754f5ee23afaaf9ffffac903c0666b54bc268e9258707400

C:\Program Files\ExLoader\media_kit\screen_brightness_windows_plugin.dll

MD5 8246f79ffeeda83ec7e5c2a57f338512
SHA1 7d9942acafbf4943ba217d7e6053dcf001915a8b
SHA256 40e03c6d211fdc766b4c4781f56059574747f96e1e0c867b0f116e43fc1f8304
SHA512 0883dc84eac6bb7c0005798d20034ee184d24b3a855f068cf7300fd1dd8ea35d09103e91ab3b09d1ae46d0fa9c62d8c7e4090aa5bac5a280de0a4a05bd4b2f06

C:\Program Files\ExLoader\media_kit\libmpv-2.dll

MD5 3a6bd0dc9ab32d7b450f06bca2359274
SHA1 b2be6a73be23b60f1d23543363ea559438218c72
SHA256 d5f0694b08c124e785d858d00082f3e3b158dd9138bfc48c0382bf1eb443a5fc
SHA512 4c8133321833bc94c8a2f1ddc83523fd554d9699efa09d8dea6ef4aa9bbca0a4f041a10e4793b6424c8cffc4583e36c2a96039017f29465458a9a2e5510631ef

C:\Program Files\ExLoader\media_kit\libGLESv2.dll

MD5 d22c92bee4e7a14d6c74e7376eca7605
SHA1 0592d72d5e0e38e5cfd9a090309260962bf8c4d9
SHA256 620bb6e38d7ed6c760a0cf4a8eb6a8f64b259b96ff286551cd32cefc6c35ca39
SHA512 2aeec8ccf9db442a2b1e3b391e6c3e899de1266199e6ee6040aceeaf8931e1d10c55ea1ab9ebbd3cc662bf56aea698c09e38f75c7b3e8b0b27c02af63d36993f

C:\Program Files\ExLoader\media_kit\libEGL.dll

MD5 0f61da7cea39e89861117f3cb4620dae
SHA1 9ca286bf6d5617eb38101d5e166edac29497c9c5
SHA256 b2590bd0692f0381fc45c20bf1c7f7f713c9ea19c7ea6bab62efdd1fadc4eaac
SHA512 7dc2bbce9808e00122ae0d960ad6b0156d201494aedf4c4c9e261f50986b72dd19b41d443138ffdf1b2e5b8e29614f0a1e909e4c867262eab311f6675618369d

C:\Program Files\ExLoader\media_kit\media_kit_video_plugin.dll

MD5 745f525dd74fc6858b8b10a28074f2c2
SHA1 a210ca497752b5604dc363b902f2ddaf0ac575c0
SHA256 d5b1ba7c97d7a51f85a0803fd19942a94c388ca95d276fc63ea316d3b18861d6
SHA512 a709c9205ca1ad5f54b3095bbea08d1ab0661bd44193cc61d572dbe1b1e4cbd82b5e37f2f15800355db718f27a32c7b3837491190384b8085dda95c494043e04

C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll

MD5 fdff3ad0125c4c9b94f22e712f766812
SHA1 2914a77c9e3e77739c1bc155d1ef5850b2e230b7
SHA256 be76eb89870200dad6cd007d87fab43b3001c7b2326b3c160a78aeb226a28b56
SHA512 b8881dbfc8dad1c4a6ee1a9f2d13c1317d904dacdc7c3984251ff0e41ca3ee2e30ba6f339dafc531dee4261f1074911f05128fa693fee4aa17523f7adad637fa

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

MD5 2d4a11ef730a68fa210d4e9c37977884
SHA1 5afb7c163f4fcb9c48e8ea70304fd1509669db16
SHA256 99793026b78f24960ce9e74894ad97b796325ebbccc72f831f3b7cabf2a64058
SHA512 6aee86f3fc38007153c8faec52743502e0eed2110bec7c7ac2ca72ff61b0f21418db4da25f3757d927e0509c4597a3dbf608b02e0b1635f57d586620f0f62699

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

MD5 d5508e201649e32769fc0e3eb1dd5b4c
SHA1 1c366978498e787127b523718b779df03b06b5a1
SHA256 d3f90633344f2629acf5b7da461295a662769954c1191006edd38de8d0235704
SHA512 4e63f73d3a7e0d33b68cf6e253d86be8dbaeda1d455a154ea0ccdeaa342030276e117849a34d22236323d1646bac8a345186e5ead8757e02cc6d5ff0dd5c1f95

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410271441202453664.dll

MD5 173156d3688b663ef5f46e6f2475d02f
SHA1 44f4992c53194904b0dbd4c9f5f11cce623500e7
SHA256 5721b1ed26306970aac491c539bcd522b5fb3238fd5d0cfecb46d1ff4b870d4c
SHA512 189986006e78360f181d139522572afb814923ce0c92bb8d418e6f00f29e485e1809783c6c6dca0c1fe10e6495492c6a90e970608aa131ecf554e96774501015

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

MD5 489b383f803a7f3a20b2086f3b68b628
SHA1 b8eef2d2d501d770f45719202e51b084e1b99f47
SHA256 6caebb2196d37c4395d75804f0c713e714731a825f6e17e9c91101bd5f9a36ca
SHA512 5302e63c688563d41c6f7b98961ba72d186c3ba53ed2bbc9d11768c3e3567d959a092c2c28945643801e0883992aa68f72e435966113116f374337ae85bc2327

memory/376-1100-0x00007FFC19A70000-0x00007FFC1BB78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410271441211\additional_file0.tmp

MD5 be22df47dd4205f088dc18c1f4a308d3
SHA1 72acfd7d2461817450aabf2cf42874ab6019a1f7
SHA256 0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8
SHA512 833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

MD5 781b9966988ae84ac369af4468f75eca
SHA1 7c3829aeb48aaa6570bd2e5f3cda520526250a68
SHA256 349bdaea57bbfe45abafa6684928c9052fd13fd3cdedb62d6e5db0c01d57294d
SHA512 61433e354f5d6c8fbd16212a2a4518f0203931ff00ca8451d4395aef603b549b2aafeb4b29b115dc9e93e52affae77de81f378cfd59b4b36bac56b5bfd8e07fa

memory/376-1207-0x00007FFC19A70000-0x00007FFC1BB78000-memory.dmp