Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-xwyw4aslan
Target ExLoader_Installer.exe
SHA256 c8b7de3ce429150617f25529aa436d28497b642925b7ea384c30f529ce8bc23b
Tags
discovery execution spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c8b7de3ce429150617f25529aa436d28497b642925b7ea384c30f529ce8bc23b

Threat Level: Shows suspicious behavior

The file ExLoader_Installer.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:12

Reported

2025-01-19 19:16

Platform

win11-20241007-en

Max time kernel

131s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Program Files\ExLoader\ExLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Program Files\ExLoader\guaranteeslimitgive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ipapi.co N/A N/A
N/A api.ipify.org N/A N/A
N/A ipapi.co N/A N/A
N/A api.ipify.org N/A N/A
N/A ipapi.co N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\translate.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\space.ico C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\neuronet.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-anixart.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\settings.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\media_kit_native_event_loop.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Steam_hover.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\circular-divider.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\SpaceDay.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\chevron-down.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\optical.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\search-alternative.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\url_launcher_windows_plugin.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File created C:\Program Files\ExLoader\ExLoader.zip C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\CSGO_hover.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\plus.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\star-border.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\tick.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\shaders\ink_sparkle.frag C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-fibers-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\AbominationPissed_RU.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Warhammer.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\ucrtbased.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\puffer-fish.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\upload-sharp.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow.webp C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-processthreads-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\LoveDay.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\chart-bar-alt.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sort.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\concrt140.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\msvcp140_atomic_wait.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\FontManifest.json C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\close-circle.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\CatsDay.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\unavailable.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\folder.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File created C:\Program Files\ExLoader\9ea669ec C:\Program Files\ExLoader\ExLoader.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\JokeDay.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Warcraft.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\add.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\moon.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Regular.otf C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\favourite-added.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\trash-bin.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\day.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\store.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\edit.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\mask.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\vccorlib140d.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Standard_hover.wav C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\download.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\keyboard-properties.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\windows.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow_alternative.webp C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\God%20of%20War.jpg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\gamepad.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\fabric_first.png C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\media_kit\msvcp140_1.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\cat.svg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \Registry\User\S-1-5-21-556537508-2730415644-482548075-1000_Classes\NotificationData C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
PID 1604 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
PID 1948 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Program Files\ExLoader\ExLoader.exe
PID 1948 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Program Files\ExLoader\ExLoader.exe
PID 1948 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
PID 1948 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
PID 1948 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
PID 4260 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 4260 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 4260 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2392 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2392 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2392 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2392 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 2392 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 2392 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 2392 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2392 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2392 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 4672 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 4672 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 4672 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe
PID 2880 wrote to memory of 4500 N/A C:\Program Files\ExLoader\ExLoader.exe C:\Program Files\ExLoader\guaranteeslimitgive.exe
PID 2880 wrote to memory of 4500 N/A C:\Program Files\ExLoader\ExLoader.exe C:\Program Files\ExLoader\guaranteeslimitgive.exe
PID 2392 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe
PID 2392 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe
PID 2392 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe
PID 2392 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe
PID 2392 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe
PID 2392 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe
PID 348 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe
PID 348 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe
PID 348 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"

C:\Program Files\ExLoader\ExLoader.exe

"C:\Program Files\ExLoader\ExLoader.exe" -deletePreviousExLoader

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe --silent --allusers=0 --server-tracking-blob=YzA2OTBiYmViOTEzNGM3NjhmMmNiN2EyYjZmZWRjYmJlMTkwNmVmOTBhYTQxMDM3MjlhYmZmMGEzOWNkZDQ3OTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwidGltZXN0YW1wIjoiMTczNzMxNDEyMi42ODkxIiwidXNlcmFnZW50IjoiRGFydC8zLjUgKGRhcnQ6aW8pIiwidXRtIjp7ImNhbXBhaWduIjoiTkVXX18xODIyNmEiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJPRlQifSwidXVpZCI6IjdlOTg5ZWMzLTExNDYtNDMwYS05OTg5LWRjYTY1Yzg1NDY5NCJ9

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.35 --initial-client-data=0x338,0x33c,0x340,0x30c,0x344,0x749dcf0c,0x749dcf18,0x749dcf24

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2392 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250119191524" --session-guid=3a7e2238-73b8-4d11-970d-2c8da320e525 --server-tracking-blob="ZTdjZmY2YzI0N2EyMGEzOTdjYjA4ZGY2MDdjMmNlMTcyMTgxNGFlMzcxMmUwMDJkNzNkMDgwZDRmNTRjMjA0Zjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzM3MzE0MTIyLjY4OTEiLCJ1c2VyYWdlbnQiOiJEYXJ0LzMuNSAoZGFydDppbykiLCJ1dG0iOnsiY2FtcGFpZ24iOiJORVdfXzE4MjI2YSIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiN2U5ODllYzMtMTE0Ni00MzBhLTk5ODktZGNhNjVjODU0Njk0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=FC05000000000000

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A04D469\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.35 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x7293cf0c,0x7293cf18,0x7293cf24

C:\Program Files\ExLoader\guaranteeslimitgive.exe

"C:\Program Files\ExLoader\guaranteeslimitgive.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.21 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x670ac4,0x670ad0,0x670adc

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.msn.com udp
US 8.8.8.8:53 meteum.ai udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 meteum.ai udp
US 8.8.8.8:53 www.msn.com udp
GB 142.250.187.196:443 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 204.79.197.203:443 www.msn.com tcp
RU 213.180.193.146:443 meteum.ai tcp
RU 213.180.193.146:443 meteum.ai tcp
GB 142.250.187.196:443 www.google.com tcp
US 104.22.28.239:443 data.exloader.net tcp
US 172.67.22.232:443 data.exloader.net tcp
US 104.26.13.205:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 104.26.8.44:443 ipapi.co tcp
US 172.67.69.226:443 ipapi.co tcp
US 104.16.132.229:443 cloudflare.com tcp
US 104.16.133.229:443 cloudflare.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
UA 91.231.182.13:7777 api.exloader.net tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 204.79.197.203:443 www.msn.com tcp
RU 213.180.193.146:443 meteum.ai tcp
GB 142.250.187.196:443 www.google.com tcp
RU 213.180.193.146:443 meteum.ai tcp
GB 142.250.187.196:443 www.google.com tcp
NL 185.26.182.124:443 autoupdate.opera.com tcp
NL 185.26.182.124:443 autoupdate.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.15:443 features.opera-api2.com tcp
NL 82.145.216.49:443 download.opera.com tcp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
UA 91.231.182.13:7777 api.exloader.net tcp
GB 142.250.187.196:443 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 204.79.197.203:443 www.msn.com tcp
RU 213.180.193.146:443 meteum.ai tcp
RU 213.180.193.146:443 meteum.ai tcp
GB 142.250.187.196:443 www.google.com tcp
US 104.22.28.239:443 data.exloader.net tcp
US 172.67.22.232:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 104.22.28.239:443 data.exloader.net tcp
US 172.67.22.232:443 data.exloader.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

MD5 1156779d6a1fe7eca6f4f70b7e159280
SHA1 df0058c5e0b2b6696d25e49cad5511a9d5fd9f08
SHA256 bab846b6030449f4c37af32c8119ffe595b5a3d0d924d5e99370dd059bac2767
SHA512 addd3a223a48697d9ea9d1e8ade91c70221c71dba64aa6c30877501acf17ab079d49d48fd7cab614df52b0f73eee771974ac64ca8e7a0c1f930a035e0fa7c2b9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

MD5 225782e5d02f400a76b8fabe8a6f5cd1
SHA1 e54ef4f664a250808749be2ea9870607c20ace31
SHA256 b66713715a7aeaa2f88ba18838aa7c245556eaaeb31c82da3f5aebcb71a7715e
SHA512 9e88489361b36970a982329184b7afa9ef403ca86830427c60397e49522e5d38fc652ce4b65e79c54583a50ffee83fb138a02d638e015c9ff53e56164556be76

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

MD5 eb49c1d33b41eb49dfed58aafa9b9a8f
SHA1 61786eb9f3f996d85a5f5eea4c555093dd0daab6
SHA256 6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e
SHA512 d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

MD5 e9b690fbe5c4b96871214379659dd928
SHA1 c199a4beac341abc218257080b741ada0fadecaf
SHA256 a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8
SHA512 00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

memory/1948-654-0x00000174DFFE0000-0x00000174DFFE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

MD5 c2f599ae1b79da8db01b4c4501899d2a
SHA1 19865301d8a408aa003c0a133bac47951b9fdac8
SHA256 8ceb7f683d61427f9109f58719837bbe5ac599681e723c47a62f21c557e13475
SHA512 752e863162b4602453427ce2bb2feb55d6ff6a42350f34265f0f0ecda6401b5d403700ad47d3740da19dcbd6824188cd788c5b1a8834c27cb72917bdb054bdc6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

MD5 c3d497b0afef4bd7e09c7559e1c75b05
SHA1 295998a6455cc230da9517408f59569ea4ed7b02
SHA256 1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98
SHA512 d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

memory/1948-656-0x00000174E24B0000-0x00000174E3281000-memory.dmp

memory/1948-658-0x00000174DFFF0000-0x00000174DFFF1000-memory.dmp

memory/1948-655-0x00000174E24B0000-0x00000174E3281000-memory.dmp

memory/1948-657-0x00000174E24B0000-0x00000174E3281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

MD5 692337664e861ad322138061132dddc6
SHA1 8a99bc860eda0772f3b1f4a125fa4d474410e21c
SHA256 c12537022ef818991a7bfed41a76d8d6ae962ffbc0e6511ac762a5d0845e7f7c
SHA512 3e2e6adb651e37e530734f999634d7c101fa1c45ae380be8ad169bbfb0a047f2878ff6c8d1428d6b9e7301b447ab2f8839484322ddb3831984be71d442829a55

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

MD5 fb1230bb41c3c1290008b9e44059dd39
SHA1 66493d0f8a6a112d8376cd296b05c277b111dca1
SHA256 2429b610ba9010211d18626d311d3dea7274473c2dd50fae833ed739b67b1292
SHA512 d5ae9b9124a7c7f8c3d04c4750459c9bc620e3aeb84f5d56a64308eb9b343d4fb62f8b3e03210e04ad90b91bbbb35dd1a56148d06dbcc0872f99e9b1b9d37c7c

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

MD5 f64fb0f46eaee310cec2a928294b44c8
SHA1 50f321398653d1c9ebfe2816b605583edc3633fd
SHA256 067c35e9beaa8893348a8997cea283e47e5c8bfdb3f3b17f864c962a06d2ed70
SHA512 91246223966f5d7d48d4071180239077efbfbb834b63048682ca7e917338d8d24151062a7c4c3103510266510b50805c970cf8799a8e69be162395d407c439ef

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Light.otf

MD5 d10d77b03ba3abe6ccc1c142d9852595
SHA1 6108edf0cfb3d5f25e3c593949c301c5c2aa5f25
SHA256 3c9ef459625f995c62b993b64da299204b741e153ba8e6d988463aaa86b1aa44
SHA512 71c4fc3b6f43b4125c5ea5ae09297d72446de81ffc2928fee33aef386754e60dab11cc170c4d6689dd6eeac451f2a57b9d3372278f750dca6ed39ec82fcf9368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Regular.otf

MD5 d969db6adb881f1dfa91a5b7ec0154d9
SHA1 d7b44b20eb246b0ff5c41147c0d0fb96fde47c48
SHA256 c7fc6d9f2ff611073fa09a6c61a8c086da0ebe8da841a9f4ec4087a3e9b52152
SHA512 2a225a8c12b46aa14e14dd547c6a55c80aef6bfe8cc791dcf60a14ef91994eddc4dec473d856f7c2446d62a41d017d256b64b603d87ae45e75fdeb2230deb5b2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Medium.otf

MD5 df63e8855d04ab0e25d2bb6a0b1fabfb
SHA1 5512dc285f36cdf7da5ba5eabaca128ca3442537
SHA256 a728e91375dcadbdf6ef6d7e3cd0bbf5c56fb992d5b1be6640b83214c9d015ed
SHA512 eba8afd3289089841e4eda4abd992c2e2020d18d44741733b5a51a2a1e0c0982ffd9da187aa56ba3b891bc259398ec156e08e45265f7218e87eb914794ca69d6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf

MD5 5177edfb54762b59df676052d11b363d
SHA1 fa18815bf4914b93d587c2758b65e234ad51b38b
SHA256 50000ce2f0f8bf3018f1d04aa5c6716583b808ca05c802c46a9de4f084a91f7d
SHA512 7475fe248eafd528a05acab94f3973eeeb0d169203769ee6b42d007b5fa0605a58a290e145d74d57e17486367bacffed22e4a88e576fa9f65d000e487aa78e27

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Bold.otf

MD5 e57b6bc24b970a377574124e026a7c01
SHA1 00184aedd4ee4d2ca6b5c87cf41e78f64304c89b
SHA256 b012d85155925bbe2106b20234b96522dec7914f03b09bc6e2fff71554f31bf6
SHA512 c162cd8a7130d2c94dac5c3dad58794f368436cbf782e8063c245d4cae405af6aa25c2f381549defd520c3f7cdbc04a27f891798697e9c291317d3b3ba82efdc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

MD5 7f8d672a2849987b498734dcb90f0c51
SHA1 e53b9319bf964c15099080ac5497ee39f8bab362
SHA256 4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4
SHA512 b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\window-minimize.svg

MD5 d47255b6d3e685cac4804eb58207d0b6
SHA1 7fe02211cf6b77f3971522a3b3888460491ae153
SHA256 29bc4875912360fac26586adaca21449026cc2cf6479f9d9bbb066abe2dd2640
SHA512 b39c96fd2479585b32146a3b33a5419f665391f1b1857b08896c8254b48fdb733551bd9974a3c7dcfb679cbb5b35ed9b8f538f5c44156d399b02b8d0d4fe95ef

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\cloud-off.svg

MD5 e99140f842b471d330fc27cd73817c4c
SHA1 9957147463f586824b65bc7bfb121d33a9523a96
SHA256 0f4cb470185e3c6c26ae033a3a88e3995340bb08a63432dd9ebb82b73dd665ae
SHA512 f579aef41980539675609c62ff4d80dde22bad59917d439dbd4d325173bed3f24534a72e9903aef58c6ee5d4b03fcb7d0a7be8c93c35da6dbb2e1e046b7da0f2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

MD5 babd1b019be8944f7ef6c64c8194bc8d
SHA1 702a50d3e3a0933db4dc1f37423bca3b5c52acde
SHA256 71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76
SHA512 6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

MD5 3577f702479e7f31a32a96f38a36e752
SHA1 e407b9ac4cfe3270cdd640a5018bec2178d49bb1
SHA256 cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2
SHA512 1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

MD5 e6ee07a908803b70dcdf31271bbc05bc
SHA1 4328b159cebeae8594bda27a63617e2cc7626bfb
SHA256 5bc7d9a70129040cb1a99067d26a8a74f1679b345ae7e7fbd6c71d26a97e2688
SHA512 53293ee1c663824b3170b994209ad034024df9d77fb782b13a9c104c8dd89316c2fa18fc3b7e106260b3ef3e4d9a54b8b110aad52f5defd01abf5a370a4855b2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\folder.svg

MD5 50cecdece7b4bc925f5d0ee89b23f203
SHA1 dac0f01235ed5abd451b5ecd342686670a51a906
SHA256 be467574fdcd107ce7a0e7f7036a5c97a8073c77caafc3cc414da5335723cce3
SHA512 9ae7491302fcaa7426f944ec0658d05a32bf29601f8613828a2a00f9ebbdc66cd6b7f3d03abc9030e907ea057b623bc075319ccd2546430b92a3904e4cc4ef2b

C:\Program Files\ExLoader\ExLoader.zip

MD5 39106c9f46cb70314865a6465dc7cc0e
SHA1 8655deaf47a7d17489cc6ba59625eadcf77eca4a
SHA256 b2546bbb4a388e34c6e1ce1af2423fdce2e9ffbe55828f45d594a80eeccd95af
SHA512 0ef33513ecd6d893f10b11dd60864651e243d33f73690c40dd700440f016f7bf41ebc5a2a1bea1b65c78c542ec0222591406efdb8ca2da6035a0f4af9b25c96f

memory/1576-986-0x00000208B2440000-0x00000208B2462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0shmiucf.bst.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\ExLoader\ExLoader.exe

MD5 1e04c744d115e2c4eef7c3a37c62efc7
SHA1 076ed71b1c7e6ed9c7aba6da28a6c48e70f5bb98
SHA256 cf93cb22fa65e6f11bf2040dec522d8ea21fa85823f0dae9375ed3430aa4c77a
SHA512 bc01fc882d2e089819417a784ec9ce0cff5605749a59bbd609f9ea73d9e476167a7f0866ff133d14f0d77dd9014280f09ca0eb233d11c5c20e97b2d27633afaf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\fonts\MaterialIcons-Regular.otf

MD5 e7069dfd19b331be16bed984668fe080
SHA1 fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4
SHA256 d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453
SHA512 27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\arrow-right.svg

MD5 caf3668c9e2b82819137f778b10f04f9
SHA1 a3713391b4ce86c084f1981851cef5e76afc71aa
SHA256 92b25cb5172f158b02e577ad36c7de69fd277378cfab9c8cdc7e639b16c03433
SHA512 0b9bf756c36026d853ba5809819f29c308ba15149debc75d04ac5cc2eff4f6c59f3a1da2ac50f268c7751243f96d3c3eb707a16ec0b1ac14fa49199a284826fa

memory/2880-1011-0x000002484C4D0000-0x000002484C4D1000-memory.dmp

C:\Program Files\ExLoader\data\app.so

MD5 cde527e578696b49eaea2abdb625c4ff
SHA1 bd9cdc5fad690ba06b4485763d8111e3fb77ea49
SHA256 ee480f3ac5dad7e7dbbbbeed1d3d3bba3d9e45825e8716e971918b2d7928e262
SHA512 5ac65486719c9feae439b760ace7504a42107bf6281f9416d34fe8c5b14576bc7116bf10646609a526c95f26b90bfa78bd5802171f5df33c3e9a9b50163f7a58

memory/2880-1015-0x000002484C4E0000-0x000002484C4E1000-memory.dmp

memory/2880-1013-0x000002484CCD0000-0x000002484DB1D000-memory.dmp

memory/2880-1012-0x000002484CCD0000-0x000002484DB1D000-memory.dmp

C:\Program Files\ExLoader\media_kit\libEGL.dll

MD5 0f61da7cea39e89861117f3cb4620dae
SHA1 9ca286bf6d5617eb38101d5e166edac29497c9c5
SHA256 b2590bd0692f0381fc45c20bf1c7f7f713c9ea19c7ea6bab62efdd1fadc4eaac
SHA512 7dc2bbce9808e00122ae0d960ad6b0156d201494aedf4c4c9e261f50986b72dd19b41d443138ffdf1b2e5b8e29614f0a1e909e4c867262eab311f6675618369d

C:\Program Files\ExLoader\media_kit\libGLESv2.dll

MD5 d22c92bee4e7a14d6c74e7376eca7605
SHA1 0592d72d5e0e38e5cfd9a090309260962bf8c4d9
SHA256 620bb6e38d7ed6c760a0cf4a8eb6a8f64b259b96ff286551cd32cefc6c35ca39
SHA512 2aeec8ccf9db442a2b1e3b391e6c3e899de1266199e6ee6040aceeaf8931e1d10c55ea1ab9ebbd3cc662bf56aea698c09e38f75c7b3e8b0b27c02af63d36993f

C:\Program Files\ExLoader\media_kit\libmpv-2.dll

MD5 3a6bd0dc9ab32d7b450f06bca2359274
SHA1 b2be6a73be23b60f1d23543363ea559438218c72
SHA256 d5f0694b08c124e785d858d00082f3e3b158dd9138bfc48c0382bf1eb443a5fc
SHA512 4c8133321833bc94c8a2f1ddc83523fd554d9699efa09d8dea6ef4aa9bbca0a4f041a10e4793b6424c8cffc4583e36c2a96039017f29465458a9a2e5510631ef

C:\Program Files\ExLoader\media_kit\permission_handler_windows_plugin.dll

MD5 af6bdeed7336e694564ddb6b19031fae
SHA1 383e0128a8794c73bd4c3aa3307eafacff6c6e91
SHA256 06a0c6f5e428fdfb87d05d50f3f7b4bb1af630969b02f43e0f517df34c156aff
SHA512 fb0eb8251bb374ce0b5d2a922a4c1b3eb7ea343ab2866b1f57d53217f0dbffbfce15b292c7e6d65a1f3652a98d05e444bc91efc8064a8e77309138cfe3fb4eed

C:\Program Files\ExLoader\media_kit\media_kit_video_plugin.dll

MD5 e228660a72c691d8a06aa967ac23a08a
SHA1 4bd0cdbd71ca5c686cf1280463d0717362cc6613
SHA256 0a9d2ebf9ac59324287720b15dd982eb6ad7631f11ad5ee41b31234f5fa86801
SHA512 4b2aa77eb972bb642ecb1c0a49eadb160342172d987c0a3623fb146a3fed670cca531afcf69d7c22aa0234ed8ea0b35fd1e915c99fea999fe3e60b5f076dbc79

C:\Program Files\ExLoader\media_kit\screen_brightness_windows_plugin.dll

MD5 8a76af8b126f25de94ee2c406db19d60
SHA1 1cf8dd5f443acd1c1db01661b57572c82886e260
SHA256 507e313f1ed3d8ca0e91e971cd7cd26d6e4abcf98b9d20f22e7e852ec8dbdead
SHA512 cbdb5f24c275135e57a1d4c4ae8e7b3ae5c224756c23df0be3f52455ea4f03f937af694ac1d7042a86bd993f5b6399e5ffebab4117a0aeca51f9c42dbcd38d42

C:\Program Files\ExLoader\media_kit\url_launcher_windows_plugin.dll

MD5 85f251d3a0406c5387f77117e2823530
SHA1 dcce565217a4eecf8f3b5e1189d94baa11e6e39d
SHA256 fa685e4bbeaad4d123a2b78d1f43f7ba7a64cfc1aaac2bb863fe7b288807c840
SHA512 e29f2393b9d9a41d8a3115028e93f711ba26d5fc35d6b193d72c72b2087a4650286ea3adbe3bb0fd951f5f434404d802056a487f7c4da31db7ca0c7f3a8e69c1

C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll

MD5 5add2f3b4fb318216e1a1f1c07403b84
SHA1 e9af34de44d70395c60502269e1b26d078996ffd
SHA256 529d1fea9b3ac94829c7dbca6918b287e0a56cc6638989af490740a5d87ac621
SHA512 619659c928ff09de644915a5d5ae1648f19a14eb5c2ac5c46fd76535269fd9d1b8ad2a9179e44d72c79ca76bb003eb65eb413bce0ca927ef824b6905d666c700

memory/2880-1014-0x000002484CCD0000-0x000002484DB1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

MD5 86c5002d5712ac3de23356bbfe8e7bb4
SHA1 6db9cd250069c22554b4af50ed9aa5008e5e8252
SHA256 1d68ae3b0df8e53bdf79a8a0d73bcb1d178a3c72af55da2572a59397210bdfea
SHA512 d7f107815ccc993501cf1283fdf4cb5ee3964ef292732a8624f06a3ceb40f7057011b0f2ae881423e2abd6a9e6afe84876966c85fc15ef9526f4da95749d91c1

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

MD5 c80b0d12c4f645ed05ae28759537ed4a
SHA1 85f46af7b0c5e76e4fd9aaefd6e40924f2cb9e45
SHA256 505841451bb5527799be1c69d04ea1e5139beadd38c326c39f855743474e5f2e
SHA512 e3d94325b063e227ad0c06ab6c9b2f6b0ab0b9987aba9e5749c32dd80b59d601a2a1d1830e7ef3a2d09f1e4807a23c2a1e78cc52242be5db5fe977110b7950f4

C:\Program Files\ExLoader\media_kit\media_kit_native_event_loop.dll

MD5 17e0b1583660a96df08a845522dab46a
SHA1 0a360639f9b99642d2035630699533a589a60cef
SHA256 eb6ac7f66d533b837194045d5b0466feee318d4da0742c45b3e9ce77d1c1f4a3
SHA512 ae87cea5055f88d5afed82eb9cda64154596dbf7137440e20f7adb4e72eabe85d8fe5548384d2707bde16396d16445559a57937503baa655da0b68d664de8365

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2501191915239872548.dll

MD5 6f809bbbe1275e1e71427ff63165fcff
SHA1 c2a1726e038fbf7c583b0bb5faac91829dac7ba8
SHA256 51d12738523cabf3b96b9bed29ff882a36233a59c97a01e691552c547f0d733e
SHA512 dad32cfc4d04540c00d5f184c2c1d9b96b391acf563818490426f5e6051722a81a8f35e73142d79599c2c557fc78de5680481c1b47749bcda99148cbd273c2a0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

MD5 87f7ed90616d28b28a59f29b18a1f51c
SHA1 630db6efa8215bd982884edd6b24d623d4d23209
SHA256 55a20ef1ca035dd9be08c04ae88dde7b1ce4be664d3dcb63fb1b3b0d43b4fc6f
SHA512 0fdcee568ae27185f02cf2f70ce3f69ff25db238fe157e80004b8f8eeed8f0a7dcb19d35476f54619939b8bf29abad2acc7336f727006979d447c793808281cf

memory/2880-1107-0x00007FFB59C40000-0x00007FFB5BD48000-memory.dmp

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

MD5 744d4eb7b89034d872919769a52f2001
SHA1 6508abc06beb409e1b440e8f94fda799bdc6df07
SHA256 5a7e91c6867899b4985613e2b135f3d8f73329862ffc783d0d537a9dd70f71a7
SHA512 5165f269f8d5673f5fc790541aa4592563bb3f71f4262e9c63b871590d5b2dafc18715c8e2867363f035972e5796cecc4bdfeff0013d6e48b4c210a4986eefaa

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

MD5 0a9ce004b99e1bb0a4ed6e54f5bc72e9
SHA1 3ad834efbb55e719675cd7130a9237666f60e725
SHA256 42a562447457516ec356035e3c51ec6ca309ea621a53257084166a54b4330840
SHA512 0022dc954dede00dc286a48d0ec73e54c38168df09fd5b54ae1869e44f55e3828e97a60c37d98a536a8911b21b08e7484a7f65d59b43f4077ba7595514e8966c

memory/2880-1157-0x00007FFB59C40000-0x00007FFB5BD48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501191915241\additional_file0.tmp

MD5 f197f4d2d50205236436fbbcf02e79b7
SHA1 e83fad0c2b93d023c78aed539709bebbeaf1c2f0
SHA256 caa17367382012f5bd23d519323470abdca96fc6e9ef2a89608bb92dd1c314c5
SHA512 fe332b56a021d029e443ef84b804f808fb469377e07527d875ce6ea018ade84ffe7de128f43094fcd8c6abcacfbae9ab886d3813afbc18edc637aaba49068e7e

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\game_icons.zip

MD5 8d0582e911b916ea68f2b660790563e7
SHA1 316b0c2590aae22deeec58abfa73f92d3d9e03cb
SHA256 636d600a2df689bad2b082532757b7e697113f283e061e0e9e785e21c3e2e369
SHA512 970d8e6576a80ccda562fbb5934106856291b9c9f20ed76dcbacc40bfd3f2c8238a829d78de99d6d107623e4886855c1f234efcc42ffe8890cc08fa17d29a75e

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\0.svg

MD5 3c82bc5493a92aebc9064551ea8d38ac
SHA1 b1019e3fe4397f7215ed8af2c0914159e986fbb2
SHA256 6046c1e9b8fc8cada4c4e063b031e164163e7c5723afd8c37d7df6c3054e1e7c
SHA512 126c5773e2192629eee40a611997f01c14bf598215d6ed33488b9d934ac41acfa83b99d7f373e0726a459dfee950011a0c24f97fbc600f5f96dfbb16ac7d9bb9

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\47ddf14b8d6f683aa8ba1f577a8adda7.png

MD5 758caed982c894b0f398adb7f659772b
SHA1 6ffe9317dcb094b5106fe135ae4389c535d731e7
SHA256 2010dcbda935556eb53f41a722744c2e23bb50cd05f1d9432e5461045812515c
SHA512 205b15bee0b60f090eb8022174da6991d35c801f3874f500fa64e9959db5136fe0ec25a241d6f5c2bbdff87a5bf68e0f92d8fa8517a37c350735f10ff99e5198

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\eb316ca9a4e2edcdc1881302277d7d5d.png

MD5 d831293ccb3a1ffdf88639b6c180180f
SHA1 be2a0f420fa7b61053f16b59d0a63108e26e943a
SHA256 6f00699629bda1aabed500c80e95d99c93d6038d2e88459e86f023cb1bd219d5
SHA512 52028163d22816bc0a82a81654cba38128c1cdb58808a74f1e55d16bdb4143ac3e7db036cabb67c55bde705127db527e4848fc537166c904bcf89e32bb24522e

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\fcf071cb7a9868fd1477405cfc31f0f1.png

MD5 1be4d35bb03410dc5814a391fb39093a
SHA1 364ba729f6a17b7196efe354c7f9ecfa70db81d4
SHA256 4282e98f7e8ba8d9f133f4c7d5d1f730263c565cdc4270e00ea9dc637761e584
SHA512 69adb08c57d0ffe2320a7c78d8dd3b7e18ef5aa7df7351b339f4fcebcd2f435070a32fc44f7de4668defb435d5107cdbc7d43fc8a9183dbc6a99e2b065557f3f

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\e83ed9fc67ab81954565a417c596c4ea.png

MD5 a3f4e0adcb9bb53eb8a8c2e0cd3b957f
SHA1 1155c4bd814475622fb90443ae61e430ba9963ba
SHA256 0104cd8aa64f09635834a3c7440a6684e5344b82b883d2007014c60ce35c03e2
SHA512 449a42b4cf84597ab0b108e9a4ae83e717bc796985e7dffa8ecdea770fb72eee25ada4b2de0e41c547a11a0991eec47363f99227e14c9ddc24b249a64282fcc6

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0e821c73b0efce519b102c9d41dd7e7e.png

MD5 180ed9f7f1fb062ee013ed2d2db4baf4
SHA1 2fde78fee3388f37e3d963cf377b6cfe05e68719
SHA256 47c0f7eb3b1ccf939eedfad6de69b83efc606498c2a852c4e37e3c481b40890a
SHA512 3bc168dc925a71a05016072a41a9b90260900786cb54842096d29663411d11b46a0e531fa42e48f74b9cc48365597be6bbfc76372b33b85611001af5a58295c6

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0d24dd1f086263a27280394010d07076.png

MD5 a924291fb4f8e3ca693fd97723a0b38a
SHA1 6e50dc6904b856453cfe35db4933d26cbdfff3a2
SHA256 8d12cac6dd8da28e270c339325d67a2e3aa3d5fdcb64d1ac0a6698e507573959
SHA512 5464c724977505c0b3b2be2dadcc98d85417766c252826795adcfdcca95acc39263b8dd533b1bc1a0630690769bd4614c037c93d506d76933a10d0a33af3198e

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\7342b431386b839b9ebd18c5f59182e3.png

MD5 806f6146b3f8970b235fc628ac8b9a0b
SHA1 b20be9f495bf4656f4e9bf5e7f158ad7a91a7611
SHA256 8a7081f2bb71d80ef9e5562753fe74a4d58a850271c9194de3def3bc39ed7ba9
SHA512 30e28e7aeb47cc1010a4cad4a4c564805f74fada30ab190ce6a08f3413e8e89e51329ade2293411b645096656b1ed30067e175975e255e926e10ce5b6d4b5481

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\94e0c3edc5ae7af1904de2471036d85e.png

MD5 8ff54539db826cd25d454094534963ce
SHA1 8800e2660ee95e850282f2d0c58923bf3fd8134b
SHA256 a13ec435ae469a4c4379c149467de10ad11ab2333e47f1ffb09487caa7230eb2
SHA512 0e71cfcaf06f92c89cdccb44b240da8fab21e1ebe73bc6d401da379b4bf021de4051360e8b8ea979325a6c70c38daa6c56e2051d2b83e233641388d27bea7845

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\7a0e47e68b4ecc51ec3c2477bbe4c439.png

MD5 faa264ef80599430df4773babbc75cba
SHA1 f4e08ab89fb9364efa3c305584985e4a03c58019
SHA256 fc3f79c76e1051f2305cbdd78bdbccf6bb78144f74146604741de01a35feed05
SHA512 f063bcf41dd1ecf442f5412fd2fe282432bf17437972abc19e5d9bb52f496b425809f3bc1e143dc9a719c3c0b59b6ebbe23eec176fc93d8e7f588e75610019d2

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\53026486cd0c51ea325a2fdccb4338e0.png

MD5 c750892215c7488392c5829d8a9f6dd5
SHA1 1276ad45446329138880b6cbbe6666b749f411a8
SHA256 74dee0ecb1f53276a7935f6c907cf2ffa987f17fd1eb36ea37765e0d4ad275e4
SHA512 bb2dc331cd4e25d295236645b5e61fc99831c902c5e1d23769984c546c3457c1141fee328b22871f1f3419a8381a60fef868b2f1af7eecfcdfd933bc896b04aa

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

MD5 d783076e34325d2dd3986a33fa02a4be
SHA1 9d05de091bac92793d4af84ba338961aee11781a
SHA256 aa67d20e8016ecc47e039db2838a2ec8d9b4affaa6426177c8166bcacd5671e6
SHA512 e07e9cc6a15816c34428896ac04ef697f1e3c63c4d847288051750c5a16d6cb828aade2f08dd9ab4d579e904bdb6f1370681e989c6656684bc9779bfca38caa2

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\959eece144a5a6ce6c53a28f89270564.png

MD5 f4d002685d9a194f1c8e378f31d34a7a
SHA1 eef3de2f726b0f4e5ae2a87406dd867e1c7bc0f6
SHA256 e326c12afae210d30ed9f26cc36d1c4e1e9c06ef820a6b601fce7019b5416385
SHA512 5c03adab5340dfe55b0430e5c9f888725f60f3ede15662c3f40df9fea4ca1526c47f34aaccff85be28c982a05203fd62f33689bd9c21cb829b962c08ef2c2901

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\dea813a4baa55dc739687421a5489890.png

MD5 7850120a910edbcfd5362ecfab76fc2e
SHA1 f0945e15a27732b6b917b09300cc6b3267d017ff
SHA256 83afab61dd1e26c7bedcae74fc7128744579d2bfcd576ddee3d42fa0d72987d6
SHA512 78adc040c6e9b2bc2c202ab2e4dc4b9223e7df9e3a1bbcfbc97a227cf4c5b0ba42cbb8b65a1d4e8d497edeede09a1e6d3f57d314a4b4d9da9a1d3cccd396ef5d

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\fd7af4087d25fb9733b803ef1828db72.png

MD5 78f8d650520bfa8699bf5bbedf0c45bc
SHA1 b0b25d6923fd39ced207b76eb9319bda3aeb70bc
SHA256 ad4b286b1760785ed35dda4a909242f2f218598bb3552391ee60821106c42415
SHA512 fe76107433dc1890c7e6968e7afb5213a1294d567c47cd9550589307bf053518d6dbe5266e962fc044eeb033b39aa4754dd9c9afb83cdd75a90f3b2286f5f34c

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\bc4454a839a50e2b5292e2f08f3a13a6.png

MD5 cdf0f44b9be2be8d98d19d338c0a5b11
SHA1 4008a2006a775605caf245410cf9c346667e024c
SHA256 5b300cc2a308d9f5640d8ac7643d5a5dbbcb025e02f305402cbdc015d2a49781
SHA512 f56ec411ad4f6b6c547f99ccf4b12fdce8207649c48faa7ab37fc9aaa2a5092aa8b093c229467bd09c58c1cc3077c8a0bfb108e3c8eafed2dbbff0a40a1666fc

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\30c4239a9080415b9c0c3ee740280c85.png

MD5 2cec65e6907d9409210d1182b1eb96ed
SHA1 2d1051ab31839c0c9ebd64f4ea53155f479686bc
SHA256 0a9b7449915e8e1d79de85d8606ae865149276ceec7ce736a39af96214768876
SHA512 81b1de5595c7e2f312889972a749b84d527d6abb3960d013b5b27362c8394e1fd2eb0e0a6bf8f6014233be8dce3a51f679215367d8e8bdd483720815d5174cfb

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\f3d3a164b4e4f4b3443d21469f3a7b4f.png

MD5 78f4e28a3cf5170ed6d78f3943d98ac3
SHA1 24d2f2d73c715d978b7f656dcf982d30df53afb3
SHA256 bc7e7a2c7842c6aaa6531f84b91edfcc26a38aab1173c69e8b7ca2a5eb2b1ff9
SHA512 53b73968757138f98b0c7378fb0cbbf74bc7e870ee7cab867eb4965abfcf5f4d3aa7a68d6bc6c12d7c991f9f3513493d13ab72556a9d3cf77e80bbdddcf047d0

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

MD5 5c039f38724f5b071a974414dbf225b2
SHA1 dc13282ed9c5c930fe30bdfee7713043af0609fb
SHA256 6f3dc023f94b7e1ca9fcdf97a08ba187771488356bd5d620a8983a7a1d023146
SHA512 e3b17e10a7ce63570d57811b93fb1515ad2ae847e5e4390274bbb4aaed98eecc2d551fe87c30ccb4a18b9dfcb7a83ddde9eec3913714917e80a871b09139aa4c

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\38007daad993d0a30d44c531b566e801.png

MD5 43ac81d7267e7773bdf4f74886181d87
SHA1 04f95b2646f643bcab06a196a225d780342709de
SHA256 7db600461e0d1a07848c693a64b077bc5897c347a1c08a3c1e6d1d0bd3b51d1d
SHA512 726fbe9d7e8be0374b3e88feed8a1e395ab45263ad88f3dc94e7b4627b83c72cfbada8f1e2e9b8f279ba217b8c49d866bf1d9e43481fdd4a172073bd4d08bf70

C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

MD5 0aea526b1aed0c05954bf9d1436dc410
SHA1 11426a41a4b0806532ff778ed1e8ea50af1022c2
SHA256 d6e1b845b3ec8177d505fba428a007a19b31bc260a5e1e3687486b8a6e8a5742
SHA512 4f15a4558f2c79a5cee6ef1697762f325f25e7904a52ebe6637abbea4be00780f4ca53391231ea00a777defedc24b8e3306d814c7673c2126474259b97fcd006

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\beaf3e36911441b70927ecb4884d360a.png

MD5 67a50cf02f92461e18046c6c0e66fd25
SHA1 31ea768b478dbcfa03ee7fa8fdcb86a3369065b2
SHA256 a929a07eee2930e6cd8b8d5aa4845d440492b5d3e8c399929341af4cd1a9905f
SHA512 b717e91b12197a5d5e543d5d961b60a25b82a7ab1b46fdb1458590c90cd5c24280d33586764e1eb8ce0e020fb25f348a3cebf1eb849b7668ad8e792dd52d8bef

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\d0edd9f750e4f6152ab970a2a1270528.png

MD5 3d66f520496d3a84063dcf3559dcf972
SHA1 e2ffeec965ecb249dd6ac1e45e5a0497adcb7ef2
SHA256 269640c56a282486a33fb40a8e57b078634f20eff22ca331f67fe30ad824a55f
SHA512 e06766b8600d592094b0efed97a5ec1d1451a963b81e913cf794f2f7e99296f16b6acf8e878b0d9be7fbed889b211e936b2546357daa5655b52dcd6d5ee56a73

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\9412adb0dff4b919a3ce84d2710b4df8.png

MD5 63a4203739931a9bba55648dede9d96a
SHA1 e606e0d4474cd69f7f696a0dde6770f66f2b0df5
SHA256 4a72e437c33fb86bf1513f1088a14516dea2e2c409126bf760c3365e0e3f411c
SHA512 46798c6d116100d44ce753ab08f704fbb2c0cc83d948560dff9752406855b71cc67f3fd2e5439a3d0e85e248f5a0daa32bd0afe20f7632186b7bd968df5d2867

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\df6c9d3b733211c3a6421d5be10ee362.png

MD5 45bec10d0569de6d5d8088ca9f8bcb75
SHA1 8830c5b4a0242a0f34ab8d054df27e57cb45e714
SHA256 d62bc5d430072585637df740cf990449cf6e5aea47dfcab67d4960bee3cf8339
SHA512 2d299b523ada4113126fd45ec948bb314ffde55f03bd862d66de9a702a27cdbfd3c3bb3d96937b7b43743910d76eb17f98e33193473b31816e51879b7c3fd723

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\9706625be9f704a156df8221377b5a36.png

MD5 5b5a500cfd4ddf9f7dfb446668da148d
SHA1 aeb9c24a65235e6e70bc51fd6d12425dcf9cb9c4
SHA256 2622c99d9efe1d6cb35b0212ee7de3de5109d6df9695536bf2d0d52109f956ad
SHA512 59e07c665d648d2554400d16ece7735f7e9f5a13684627fbbcc3a8180acb884429b36ec410087603e9a9dd6580adab1348f589645c541e70492e0f271f98a9ca

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\dc1d9d6c23496fa03e06294579189ec9.png

MD5 3afad9fcbd2a754accf46cdedd734556
SHA1 b19d8c500b12ab50c7025c3e263e541959ec5b92
SHA256 520aefa172c7e6b21dff426536fe11f438bef767f483ce26dccd18968b304cdf
SHA512 36ed54986e10a2ad9a910f184afed56998c4e7ee8a2707b432525df8184b5dc0578c9c9cedaf4808678bdb669b6772455ebd33762f380ce93aa21912fc45c463

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\827fde2fc81570ee2382ba66da27961f.png

MD5 3b67dc34324a46beeb9c2968f5ed9256
SHA1 5ddc7617f5d09e97b43089dca59e82ed953a259f
SHA256 9997d0b23e68778ffb85b1f9efcf1f9ff9dee287ef44da71bc4688b2a74e927f
SHA512 5def7ae832aa74c44879dc5408f537e8558668fa8cf275fe097d2fad622ede3163885aab3c44771ab98735dce6597d274800571bb1f2ea1787c759e0694762e3

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\a19d01944c9bdb6017cf86da8dcbe8ce.png

MD5 f5a4dc1f02c29f80386d970d6cfdff86
SHA1 4ef613d075450c9784a138bd7dfd01463f4685fb
SHA256 18a7ac8e98cb7e7d593438ae1f026922a83ed35f6d70e56ffb76a4159aad6e06
SHA512 be2fa650d577f62dd8d87e3190a68f9a4448d2007df0412f571abdf02fcf3e6f68be78282ceda604cc7719d5d704b93e1834da1cfbac0b6d4b6fa5b714af8e6c

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0652db59b612c8672229009806f5673c.png

MD5 9aaa60a98d05e8e0512a855242a916c2
SHA1 b56f525e4ef9cd75f35b993ac2df527fdb5b5c55
SHA256 71f9cbacec79254dcbad11551d4009a69399c55006cf95aaf61e10ec7e88c287
SHA512 f6aa4110eb6c904b9ca6c6ea34083c01e0466ea050f9e9b968e70e1b21e7e138e9550223478b0c21b50cb0f7ec3d87b88b5ef8a751f5a26a3f146d89fed7ecca

C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\506dde2b310688ddc0ac06af6b03f454.png

MD5 c2618593cbf3f483954c27734e7c91cc
SHA1 1fae4a3634d7ca370572d045bfe27a3879586a52
SHA256 910a0f8455a3c7a3b460a215892030bc99576800cdb9ba23406a24cf7a05ae60
SHA512 6fecd47b037262e7b5e806b55382bb052c793085f4966c8177bbbbd23bb3213f6aa341726636509550ab281568aec409a558da26d1034226f8f1f82b527313ab

memory/4500-1677-0x00007FFB5A370000-0x00007FFB5C478000-memory.dmp