Malware Analysis Report

2025-01-18 04:10

Sample ID 241104-afag8syblf
Target Fps unlocker.exe
SHA256 b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f
Tags
office04 quasar discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f

Threat Level: Known bad

The file Fps unlocker.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware stealer trojan

Quasar family

Quasar payload

Quasar RAT

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 00:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 00:08

Reported

2024-11-04 00:27

Platform

win10ltsc2021-20241023-en

Max time kernel

931s

Max time network

1055s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4272 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4272 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4272 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4680 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4680 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4680 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe
PID 4680 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe
PID 4680 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe
PID 2168 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe
PID 2168 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe
PID 2168 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe
PID 112 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe
PID 112 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe
PID 112 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe
PID 112 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
PID 112 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
PID 112 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
PID 112 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
PID 112 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
PID 112 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
PID 112 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe
PID 112 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe
PID 112 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe
PID 2488 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe
PID 2488 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe
PID 2488 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe

"C:\Users\Admin\AppData\Local\Temp\Fps unlocker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\PopFormat.dotm"

C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe

"C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe"

C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe --server-tracking-blob=NGNiYzE2ODY4MzkzNDQ4MzE2Mjk0MzMxMWVhOGNmMmI1MDI4ZmFjYWVlM2ExODdhYThjNzU0OGQ1M2E2YjE5MDp7ImNvdW50cnkiOiJHVCIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1iaW5nJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVdXJTI1MjAtJTI1MjBQZXJmb3JtYW5jZSUyNTIwTWF4JTI1MjAtJTI1MjBFTiUyNTIwLSUyNTIwSUElMjUyMC0lMjUyME1LVCZ1dG1fY29udGVudD1BcmlhJTI1MjBnZW5lcmljJnV0bV9pZD1tc2Nsa2lkXzYzNGRhOTAwZGE3MzFkNmNmYTNlY2ZlMzkxMWFlNDVkJmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuYmluZy5jb20lMkYmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZkbF90b2tlbj0zMTkxOTk3OCIsInRpbWVzdGFtcCI6IjE3MjYxNzIwMjAuNTc4NCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjguMC4wLjAgU2FmYXJpLzUzNy4zNiBFZGcvMTI4LjAuMC4wIiwidXRtIjp7ImNhbXBhaWduIjoiV1clMjAtJTIwUGVyZm9ybWFuY2UlMjBNYXglMjAtJTIwRU4lMjAtJTIwSUElMjAtJTIwTUtUIiwiY29udGVudCI6IkFyaWElMjBnZW5lcmljIiwiaWQiOiJtc2Nsa2lkXzYzNGRhOTAwZGE3MzFkNmNmYTNlY2ZlMzkxMWFlNDVkIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vZ3giLCJtZWRpdW0iOiJwYSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJiaW5nIn0sInV1aWQiOiJmYmI0Yzg5Zi02ZjE2LTQ4MWUtOTFhZi1iYjM4OTA4OTkyZTQifQ==

C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=113.0.5230.75 --initial-client-data=0x310,0x314,0x33c,0x318,0x340,0x745d1864,0x745d1870,0x745d187c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x7b4f48,0x7b4f58,0x7b4f64

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 Inversin-43597.portmap.host udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 ipwho.is udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.95:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 api.config.opr.gg udp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 104.18.25.17:443 api.config.opr.gg tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.212.227:80 c.pki.goog tcp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 2.19.161.34:443 download3.operacdn.com tcp
US 8.8.8.8:53 17.25.18.104.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 34.161.19.2.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp

Files

memory/4272-0-0x00007FFD70443000-0x00007FFD70445000-memory.dmp

memory/4272-1-0x0000000000890000-0x0000000000BB4000-memory.dmp

memory/4272-2-0x00007FFD70440000-0x00007FFD70F02000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 bf656c2e5e1e942c41fa918132faa7ab
SHA1 1c2ddd815378e54db9e21dd2e61d89067c94da4f
SHA256 b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f
SHA512 54bef34ab722d69f1d3b7f5316f1fbc10fc629bb134f70eecb6a368330b7b73305ef5fa0b9e83c104e6e679ccd1d6e7f5a20caf4f39e6b03d4940b4ed9540b7d

memory/4680-5-0x00007FFD70440000-0x00007FFD70F02000-memory.dmp

memory/4272-6-0x00007FFD70440000-0x00007FFD70F02000-memory.dmp

memory/4680-7-0x00007FFD70440000-0x00007FFD70F02000-memory.dmp

memory/4680-8-0x000000001C910000-0x000000001C960000-memory.dmp

memory/4680-9-0x000000001CA20000-0x000000001CAD2000-memory.dmp

memory/4680-12-0x000000001C960000-0x000000001C972000-memory.dmp

memory/4680-13-0x000000001C9C0000-0x000000001C9FC000-memory.dmp

memory/4680-14-0x00007FFD70440000-0x00007FFD70F02000-memory.dmp

memory/4680-15-0x00007FFD70440000-0x00007FFD70F02000-memory.dmp

memory/3812-16-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-17-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-18-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-19-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-20-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-21-0x00007FFD4BFE0000-0x00007FFD4BFF0000-memory.dmp

memory/3812-22-0x00007FFD4BFE0000-0x00007FFD4BFF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDF251.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3812-526-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-525-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-524-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

memory/3812-523-0x00007FFD4E950000-0x00007FFD4E960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VFe4aoc8D200.exe

MD5 450ad48d0614d3a31773f79809bf19b4
SHA1 57402d30b0791aaee6d9e84d58eda7379a75cabf
SHA256 722a7b694b0367ead69eb07f2b204a67b477753fc195cddf221348182f9fddfe
SHA512 c57283e05d9e7bcdf623995810be623056bb71a2b48c7e526e681da584dec480a44ba8d779024c1c1858132ced2a6ac68ca8c80ff8a5f2ee90d4880062613b76

C:\Users\Admin\AppData\Local\Temp\7zS878F5345\setup.exe

MD5 eb798e91d503b97614756193e195a7b1
SHA1 06367f70a0b4c6de9e208c419beb84fa10c0eeef
SHA256 406b5edbd94bc38ce345d3c0f34b6b5fcd0405bd290a2ad0fd55c08b0695eed8
SHA512 5738431f355f599e88ec8b603f692a23a779ef41183ee1ebad3f7c81a9296a3df626d852cca1256791cc665d912f8f73c4ac00a15e4f96259c253290a40ba020

C:\Users\Admin\AppData\Local\Temp\Opera_installer_241104002438295112.dll

MD5 d9566efedb5ea286e12826594a40e623
SHA1 eba69b688be145e73103ec9587db22e072ee9fb5
SHA256 d09af4042577f9c1c72863df791b0114d25086cbf9fa3012b765157ddcbbdf33
SHA512 daa4adc5f254088d3b8d22d27b5af3d3663630017903f64377579cba46c0b8e4ffa427b7e51ccdc214e70ed835e2ff9ec2baf4a28a194a1c22dd2ee2abf653bb

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\additional_file0.tmp

MD5 e9a2209b61f4be34f25069a6e54affea
SHA1 6368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256 e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA512 59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411040024401\assistant\assistant_installer.exe

MD5 4c8fbed0044da34ad25f781c3d117a66
SHA1 8dd93340e3d09de993c3bc12db82680a8e69d653
SHA256 afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a
SHA512 a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

MD5 71d292693513b24a16b34bef9be64a11
SHA1 bd2e963a8f4203f8fe9c3bf786e6b4bd22acd12b
SHA256 3b19d239f024ebd7597109f34173116b405d9be7a21fd9217775bf8f0b296390
SHA512 ffcede08b0c8040e3a86c8a30e0d65d8113edc048a497a12551eb4c58f30677d5ea13933d56874e133b8a48e6c47552706a725fa28d9bcff2d7a96f416ec1052