7e49e00be1992fbc4ac14f2e5e3c05dccadf8fba3c3936357d8df7f146f5f0a3

Resubmissions

03-02-2023 00:48

230203-a55pnshd53 8

03-02-2023 00:39

230203-az46yscf2t 8

31-01-2023 20:06

230131-yvhzxsca3x 8

Analysis

max time kernel
74s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-02-2023 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.871-Installer-1.0.6.exe
Size

23.7MB
MD5

49fb0f13cdb8d7cad1487889b6becced
SHA1

b71d98ec45e6f7314f0e33106485beef99b2ee7c
SHA256

7e49e00be1992fbc4ac14f2e5e3c05dccadf8fba3c3936357d8df7f146f5f0a3
SHA512

639fa23294556bf77080d420e7e1b5b7c07a8b1e93897c36a4f8e398c1c58de9b91636420102e68f6957c768793797728664e32dc38aa68315746882b4ebe1d9
SSDEEP

393216:XX921sp/n85Pfs/dQETVlOBbpFEj9GZ1GphRqV56Hpk7IXOzDnKI17fyV5:XN8s18hHExiTI3qqHp6zvKcfyV5

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdditionalExecuteTL.exeirsetup.exeTLauncher-2.871-Installer-1.0.6.exeirsetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AdditionalExecuteTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TLauncher-2.871-Installer-1.0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 17 IoCs

Processes:

irsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exe_sfx.exeassistant_installer.exeassistant_installer.exeinstaller.exeinstaller.exeTLauncher.exelauncher.exeopera.exeopera_crashreporter.exe

pid	process
4428	irsetup.exe
5020	AdditionalExecuteTL.exe
1468	irsetup.exe
2356	opera-installer-bro.exe
1100	opera-installer-bro.exe
4244	opera-installer-bro.exe
1672	opera-installer-bro.exe
3604	opera-installer-bro.exe
4468	_sfx.exe
2500	assistant_installer.exe
1080	assistant_installer.exe
1492	installer.exe
3404	installer.exe
4364	TLauncher.exe
4084	launcher.exe
4544	opera.exe
3832	opera_crashreporter.exe

Loads dropped DLL 13 IoCs

Processes:

irsetup.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeinstaller.exeinstaller.exeopera.exe

pid	process
4428	irsetup.exe
4428	irsetup.exe
4428	irsetup.exe
1468	irsetup.exe
2356	opera-installer-bro.exe
1100	opera-installer-bro.exe
4244	opera-installer-bro.exe
1672	opera-installer-bro.exe
3604	opera-installer-bro.exe
1492	installer.exe
3404	installer.exe
4544	opera.exe
4544	opera.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe\""	installer.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/4428-137-0x0000000000650000-0x0000000000A38000-memory.dmp	upx
behavioral1/memory/4428-142-0x0000000000650000-0x0000000000A38000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1468-152-0x0000000000AD0000-0x0000000000EB8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/2356-159-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/1100-162-0x0000000000400000-0x0000000000947000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
behavioral1/memory/4244-167-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/1468-166-0x0000000000AD0000-0x0000000000EB8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1672-170-0x0000000000400000-0x0000000000947000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/3604-176-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/3604-189-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/4428-205-0x0000000000650000-0x0000000000A38000-memory.dmp	upx
behavioral1/memory/2356-277-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/1100-285-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/1672-282-0x0000000000400000-0x0000000000947000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

opera-installer-bro.exeopera-installer-bro.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\D:	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

opera.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe

Modifies registry class 43 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe\" -noautoupdate -- \"%1\""	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.opdownload\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Applications	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\FriendlyTypeName = "Opera Web Document"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\ddeexec\	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.shtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.xhtml	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Applications\opera.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe\" \"%1\""	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\URL Protocol	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\ddeexec	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.xhtml\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.xhtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Applications\opera.exe	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe,0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\command	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\ddeexec\Application	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.htm\OpenWithProgids\OperaStable = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.html\OpenWithProgids\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\ddeexec\Topic	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.opdownload\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.xht\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Applications\opera.exe\shell\open\command	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.xht\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\DefaultIcon	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\ddeexec\Application\	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\OperaStable\shell\open\ddeexec\Topic\	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.shtml\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.shtml	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.pdf\OpenWithProgids\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.xht	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Applications\opera.exe\shell	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Applications\opera.exe\shell\open	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.opdownload	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe\""	installer.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

opera-installer-bro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

installer.exe

pid process

1492 installer.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

installer.exe

pid	process
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4428	irsetup.exe
4428	irsetup.exe
4428	irsetup.exe
4428	irsetup.exe
4428	irsetup.exe
4428	irsetup.exe
4428	irsetup.exe
5020	AdditionalExecuteTL.exe
1468	irsetup.exe
1468	irsetup.exe
1468	irsetup.exe
2356	opera-installer-bro.exe
1100	opera-installer-bro.exe
4244	opera-installer-bro.exe
1672	opera-installer-bro.exe
3604	opera-installer-bro.exe
4468	_sfx.exe
2500	assistant_installer.exe
1080	assistant_installer.exe
1492	installer.exe
3404	installer.exe
1492	installer.exe
1492	installer.exe
1804	DllHost.exe
1804	DllHost.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1804	DllHost.exe
1804	DllHost.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1492	installer.exe
1804	DllHost.exe
1804	DllHost.exe
1492	installer.exe
1492	installer.exe
1804	DllHost.exe
1804	DllHost.exe
1492	installer.exe
1492	installer.exe
1804	DllHost.exe
1804	DllHost.exe
4364	TLauncher.exe
1492	installer.exe
1492	installer.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

TLauncher-2.871-Installer-1.0.6.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeassistant_installer.exeinstaller.exeTLauncher.exelauncher.exeopera.exe

description	pid	process	target process
PID 5060 wrote to memory of 4428	5060	TLauncher-2.871-Installer-1.0.6.exe	irsetup.exe
PID 5060 wrote to memory of 4428	5060	TLauncher-2.871-Installer-1.0.6.exe	irsetup.exe
PID 5060 wrote to memory of 4428	5060	TLauncher-2.871-Installer-1.0.6.exe	irsetup.exe
PID 4428 wrote to memory of 5020	4428	irsetup.exe	AdditionalExecuteTL.exe
PID 4428 wrote to memory of 5020	4428	irsetup.exe	AdditionalExecuteTL.exe
PID 4428 wrote to memory of 5020	4428	irsetup.exe	AdditionalExecuteTL.exe
PID 5020 wrote to memory of 1468	5020	AdditionalExecuteTL.exe	irsetup.exe
PID 5020 wrote to memory of 1468	5020	AdditionalExecuteTL.exe	irsetup.exe
PID 5020 wrote to memory of 1468	5020	AdditionalExecuteTL.exe	irsetup.exe
PID 1468 wrote to memory of 2356	1468	irsetup.exe	opera-installer-bro.exe
PID 1468 wrote to memory of 2356	1468	irsetup.exe	opera-installer-bro.exe
PID 1468 wrote to memory of 2356	1468	irsetup.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 1100	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 1100	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 1100	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 4244	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 4244	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 4244	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 1672	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 1672	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 1672	2356	opera-installer-bro.exe	opera-installer-bro.exe
PID 1672 wrote to memory of 3604	1672	opera-installer-bro.exe	opera-installer-bro.exe
PID 1672 wrote to memory of 3604	1672	opera-installer-bro.exe	opera-installer-bro.exe
PID 1672 wrote to memory of 3604	1672	opera-installer-bro.exe	opera-installer-bro.exe
PID 2356 wrote to memory of 4468	2356	opera-installer-bro.exe	_sfx.exe
PID 2356 wrote to memory of 4468	2356	opera-installer-bro.exe	_sfx.exe
PID 2356 wrote to memory of 4468	2356	opera-installer-bro.exe	_sfx.exe
PID 2356 wrote to memory of 2500	2356	opera-installer-bro.exe	assistant_installer.exe
PID 2356 wrote to memory of 2500	2356	opera-installer-bro.exe	assistant_installer.exe
PID 2356 wrote to memory of 2500	2356	opera-installer-bro.exe	assistant_installer.exe
PID 2500 wrote to memory of 1080	2500	assistant_installer.exe	assistant_installer.exe
PID 2500 wrote to memory of 1080	2500	assistant_installer.exe	assistant_installer.exe
PID 2500 wrote to memory of 1080	2500	assistant_installer.exe	assistant_installer.exe
PID 1672 wrote to memory of 1492	1672	opera-installer-bro.exe	installer.exe
PID 1672 wrote to memory of 1492	1672	opera-installer-bro.exe	installer.exe
PID 1492 wrote to memory of 3404	1492	installer.exe	installer.exe
PID 1492 wrote to memory of 3404	1492	installer.exe	installer.exe
PID 4428 wrote to memory of 4364	4428	irsetup.exe	TLauncher.exe
PID 4428 wrote to memory of 4364	4428	irsetup.exe	TLauncher.exe
PID 4428 wrote to memory of 4364	4428	irsetup.exe	TLauncher.exe
PID 4364 wrote to memory of 3344	4364	TLauncher.exe	javaw.exe
PID 4364 wrote to memory of 3344	4364	TLauncher.exe	javaw.exe
PID 1492 wrote to memory of 4084	1492	installer.exe	launcher.exe
PID 1492 wrote to memory of 4084	1492	installer.exe	launcher.exe
PID 4084 wrote to memory of 4544	4084	launcher.exe	opera.exe
PID 4084 wrote to memory of 4544	4084	launcher.exe	opera.exe
PID 4544 wrote to memory of 3832	4544	opera.exe	opera_crashreporter.exe
PID 4544 wrote to memory of 3832	4544	opera.exe	opera_crashreporter.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe" "__IRCT:3" "__IRTSS:24870711" "__IRSID:S-1-5-21-2295526160-1155304984-640977766-1000"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-2295526160-1155304984-640977766-1000"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x340,0x344,0x348,0x31c,0x34c,0x6f45e428,0x6f45e438,0x6f45e444
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=es --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=2356 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230203014934" --session-guid=7bcd34bd-192f-4696-8d42-6d5c81c7340a --server-tracking-blob=NTk1MTUwNTlmYTM2MTdhNjk0OGY2YTgzMmIxYjVkOGE2YzI3ODlhMjYwODFkYmZhZDUxZGQ2YmM1ZTI4ODFiODp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzUzODUzNzIuMjg3MSIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiNDRhOTBiMzYtNzM0YS00ZjI4LWJkMTktZjc4NmU0N2U4OWUwIn0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=AC05000000000000
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x34c,0x350,0x354,0x31c,0x358,0x6e93e428,0x6e93e438,0x6e93e444
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe" --backend --initial-pid=2356 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=es --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341" --session-guid=7bcd34bd-192f-4696-8d42-6d5c81c7340a --server-tracking-blob=NTk1MTUwNTlmYTM2MTdhNjk0OGY2YTgzMmIxYjVkOGE2YzI3ODlhMjYwODFkYmZhZDUxZGQ2YmM1ZTI4ODFiODp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzUzODUzNzIuMjg3MSIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiNDRhOTBiMzYtNzM0YS00ZjI4LWJkMTktZjc4NmU0N2U4OWUwIn0= --silent --desktopshortcut=1 --install-subfolder=95.0.4635.25
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2c4,0x7ff8c3fea908,0x7ff8c3fea918,0x7ff8c3fea928
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --start-maximized
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7ff8bb1f1a18,0x7ff8bb1f1a28,0x7ff8bb1f1a38
10⤵
- Executes dropped EXE
PID:3832

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1936,i,9487607170593093618,12117746918455525125,131072 /prefetch:2
10⤵
PID:2788

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=2092 --field-trial-handle=1936,i,9487607170593093618,12117746918455525125,131072 /prefetch:8
10⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\_sfx.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe" --version
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x492dc0,0x492dd0,0x492ddc
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
4⤵
PID:3344

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --enable-quic --lowered-browser
1⤵
PID:2908

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7ff8bb1f1a18,0x7ff8bb1f1a28,0x7ff8bb1f1a38
2⤵
PID:1080

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=2004,i,1942534416873166671,17016392332198061881,131072 /prefetch:2
2⤵
PID:4080

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=1892 --field-trial-handle=2004,i,1942534416873166671,17016392332198061881,131072 /prefetch:8
2⤵
PID:4780

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=2384 --field-trial-handle=2004,i,1942534416873166671,17016392332198061881,131072 /prefetch:8
2⤵
PID:4512

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3108 --field-trial-handle=2004,i,1942534416873166671,17016392332198061881,131072 /prefetch:8
2⤵
PID:4372

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:booking-modal=off --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3140 --field-trial-handle=2004,i,1942534416873166671,17016392332198061881,131072 /prefetch:8
2⤵
PID:2832

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:2584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
471B

MD5
4038229605b21ba892ffb3b09b0464b5

SHA1
6000daff72e1059e2e17ac53cb9c591a71d550d4

SHA256
be703417a8d1c4bbf3f07e5283eec1ebd08a2ab9e7b2b2f5e51e7d7ba70bc142

SHA512
3835eb7f77602d56c8cc4e70431ee02b30d4e18507c70039a3225d2d097dfee2baed4bf038b7977ca21b5def862360dd59f4f69bba43add937ae0dc34c8c67c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
434B

MD5
2006fe7bd90ba01957dbfb02aa76eb8f

SHA1
764196cb3a6653c53f839840f3ed979a986b47ab

SHA256
8fd85ff32f5e554337d19180a9d4f04abd68db0dcab2664f2cfb3b35a8994ec9

SHA512
6fd7ff131d2ab7e487af09d109340e01e47b60112a42efed0fc37eac56e4d5257df7521a1398a855a57eecbdec1deaf74f9c1304a7281cf2d7c58da088a62e07

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe
Filesize
6.2MB

MD5
a33e62d3b0534ee26944f30f501843fe

SHA1
806718f157ef9782339efc43957fe504f1e22f79

SHA256
b3af95c038e9e2b53ddf0fa747b6866ba433c796f7e6906551969d897b438954

SHA512
582450d82a25e3a7e4b2cee9db11658c2219c8b671b365c2e6a76e146cf9cad6d49e4e04c5dd0a11ca1d7be6bed8731eb54df4c11a2f42c7c3c59fb62bf29975

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe
Filesize
6.2MB

MD5
a33e62d3b0534ee26944f30f501843fe

SHA1
806718f157ef9782339efc43957fe504f1e22f79

SHA256
b3af95c038e9e2b53ddf0fa747b6866ba433c796f7e6906551969d897b438954

SHA512
582450d82a25e3a7e4b2cee9db11658c2219c8b671b365c2e6a76e146cf9cad6d49e4e04c5dd0a11ca1d7be6bed8731eb54df4c11a2f42c7c3c59fb62bf29975

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_browser.dll
Filesize
15.1MB

MD5
aadfcc32cfd95ac4580482863fa8a001

SHA1
7bfc1e1bcb963327a85c2a42eac7de18590ddc01

SHA256
a3b619bb91000ef025d2bcbc917eb8a96023c95717f08fadd2a6c7e82ac6815a

SHA512
0f876554343fe6f7305bf6f927b51ebd2dfbb820ec9b3065b7ed6cacde418d3cb1e02fef4b02c78c21203549edf6aea98b379b2bd791f73bf89e3c931e2e075b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_browser.dll
Filesize
16.9MB

MD5
0548030fa4aa7feaf84f71acdd420d66

SHA1
f3490eedd26bab159388f567f300b0c87b3d3f4d

SHA256
bcb0e9f722f671f1ea7d96caa309785bd124a934e51d27a28a2c548147bb893e

SHA512
36ce1442b8731b912b7f9e70a512878de3f8cc3f9d195be46d17d625a9ec48cd7866e62cf616843a29fcbfd63468bebf4ad020b8507942a441a57918cd0aa9b7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe
Filesize
2.3MB

MD5
546223401773f16e10d8b01d72d9f7ee

SHA1
31f2d388de6c3db5eaedf31686b6b5520459fda6

SHA256
3b5f31eb9627de3f05466b337b6cf3efd47f4a28c069b80128b3b1f8a3e5c253

SHA512
0972c8bb6403a90f5801e5b6eb11cc5ee3ce98320dbfa75f9c33478253e8fb23fa4d700f9e20ac770d0f45a1420b4dc8c2e18b176eeb1e33c126f08fb36dc670

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_elf.dll
Filesize
1.1MB

MD5
4382dc71fcb29a3536effbc75fb47414

SHA1
2fe0dbfea8a4853a83f47d169331af9dbd21a689

SHA256
9ce89f5ac296e6714fa3ea34c31c1770fe102e55d0a630963344609d8f9c4cc1

SHA512
c37e3810f18fed9be60936be5d2285867c9842ad1c49c18b80bea674aa08334eeaf7d53efa4d11bf2abf52701a275c91985a9cb2ca5fdbf6daec66d69b92b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_elf.dll
Filesize
1.1MB

MD5
4382dc71fcb29a3536effbc75fb47414

SHA1
2fe0dbfea8a4853a83f47d169331af9dbd21a689

SHA256
9ce89f5ac296e6714fa3ea34c31c1770fe102e55d0a630963344609d8f9c4cc1

SHA512
c37e3810f18fed9be60936be5d2285867c9842ad1c49c18b80bea674aa08334eeaf7d53efa4d11bf2abf52701a275c91985a9cb2ca5fdbf6daec66d69b92b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_elf.dll
Filesize
1.1MB

MD5
4382dc71fcb29a3536effbc75fb47414

SHA1
2fe0dbfea8a4853a83f47d169331af9dbd21a689

SHA256
9ce89f5ac296e6714fa3ea34c31c1770fe102e55d0a630963344609d8f9c4cc1

SHA512
c37e3810f18fed9be60936be5d2285867c9842ad1c49c18b80bea674aa08334eeaf7d53efa4d11bf2abf52701a275c91985a9cb2ca5fdbf6daec66d69b92b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\installation_status.json
Filesize
11KB

MD5
e30ff11755716768b2d17525be07c0a4

SHA1
94f0e9f9cef3ac00733d2daa312a8156d9e8601b

SHA256
41d2375a15307602f14d04c22c1632dd8198b5bb371c61709fe67ab8cb0c3a64

SHA512
6a75204f63360cc05b2c8011dd7719b7392635ef6e5adde45f3f9d161c18d4b7bbe33ed6082eea8d64bca2d88cac245b9d69f2290102facabb432188bfd4db43

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\installer_prefs.json
Filesize
1KB

MD5
e0ff554cc1a82ff4407cba906d0ee0f5

SHA1
bfb96a4c664e06f046e0ddc9f4ca610aa6fdfbd3

SHA256
20b4c2a5b880f44b6b5d837c63897a2e473242958ce7486184e6d4871ae2db79

SHA512
d80124bd29dd504149201a950eb0adaeb28366b07dbe19fceb8e86e5c98098be45647deea4ca3b47208acea55da1d5bcd957c040c728db2ed3760fa151c75ed0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
Filesize
2.5MB

MD5
71b46d82ffdb677df400d915f401918c

SHA1
d8af66d938741da7a1d803c815fedbea1e2114eb

SHA256
ada3823a6e9eb6fc51e986cd606129f43bfb3f87a1c7103e581e1cabe5d4f196

SHA512
29e4ae7f510e811ab251e2d406d37d51523a221b0b7504201ed3b4878be2dacd63bce3c26506706418f2e3372a2af0b788784e6859e11ce83e5978019422963d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
Filesize
2.5MB

MD5
71b46d82ffdb677df400d915f401918c

SHA1
d8af66d938741da7a1d803c815fedbea1e2114eb

SHA256
ada3823a6e9eb6fc51e986cd606129f43bfb3f87a1c7103e581e1cabe5d4f196

SHA512
29e4ae7f510e811ab251e2d406d37d51523a221b0b7504201ed3b4878be2dacd63bce3c26506706418f2e3372a2af0b788784e6859e11ce83e5978019422963d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
Filesize
1.5MB

MD5
ef2789f47e2fec7d2ef1845d3a453ace

SHA1
cb4dc554065b7b2de21feddcf17bf4eb74351fdc

SHA256
77ee5ccb31effa5bde0b1433d2b5899618b8c4c368c5a7664b68bd25ba363d71

SHA512
838dcaf54dbf0b8f599e91b6bfe8b3c9fb5d427c8b62b4bac61d68084ef2c23acfec9dc5db56344e909b29431f5ca8f85ee4d56fffb7979b461b9cd75f0940aa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
Filesize
1.5MB

MD5
ef2789f47e2fec7d2ef1845d3a453ace

SHA1
cb4dc554065b7b2de21feddcf17bf4eb74351fdc

SHA256
77ee5ccb31effa5bde0b1433d2b5899618b8c4c368c5a7664b68bd25ba363d71

SHA512
838dcaf54dbf0b8f599e91b6bfe8b3c9fb5d427c8b62b4bac61d68084ef2c23acfec9dc5db56344e909b29431f5ca8f85ee4d56fffb7979b461b9cd75f0940aa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
Filesize
1.5MB

MD5
ef2789f47e2fec7d2ef1845d3a453ace

SHA1
cb4dc554065b7b2de21feddcf17bf4eb74351fdc

SHA256
77ee5ccb31effa5bde0b1433d2b5899618b8c4c368c5a7664b68bd25ba363d71

SHA512
838dcaf54dbf0b8f599e91b6bfe8b3c9fb5d427c8b62b4bac61d68084ef2c23acfec9dc5db56344e909b29431f5ca8f85ee4d56fffb7979b461b9cd75f0940aa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
Filesize
1.5MB

MD5
ef2789f47e2fec7d2ef1845d3a453ace

SHA1
cb4dc554065b7b2de21feddcf17bf4eb74351fdc

SHA256
77ee5ccb31effa5bde0b1433d2b5899618b8c4c368c5a7664b68bd25ba363d71

SHA512
838dcaf54dbf0b8f599e91b6bfe8b3c9fb5d427c8b62b4bac61d68084ef2c23acfec9dc5db56344e909b29431f5ca8f85ee4d56fffb7979b461b9cd75f0940aa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\pref_default_overrides
Filesize
57B

MD5
f488c9f9d9d5e631484d4bf155f45442

SHA1
0f0e624770e47bea5186748a9de85c677dd84fa7

SHA256
e6f214ff5ccbbe6e7abcf309138cdcb46d3fe3915e9bbbe8dd3c15afb439f708

SHA512
d72d1daa86e650a0589f6991f7a7bb3b7ca3484d49bc0d0d703b28b8f399f3123df2bf3c949a899fab55bde7d888736f655e462e2cd02ade59bbf9e67df54064

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\_sfx.exe
Filesize
1.7MB

MD5
0238df215bf6943892daf85de8ad433a

SHA1
3d905e4e2c0e9170df61b7a199321847691f945e

SHA256
a7818aca6acbe347df13d51d9750f6a852c5aa2a58580f7f2015113e0a3e06d7

SHA512
fc6c12e359b9a4ce84ef878f29648a4c97c38fd12ed80996c5e03829833220010fff9c751a99f399dad3529bda6438424194ed18236addfbe430343807aaad69

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\_sfx.exe
Filesize
1.7MB

MD5
0238df215bf6943892daf85de8ad433a

SHA1
3d905e4e2c0e9170df61b7a199321847691f945e

SHA256
a7818aca6acbe347df13d51d9750f6a852c5aa2a58580f7f2015113e0a3e06d7

SHA512
fc6c12e359b9a4ce84ef878f29648a4c97c38fd12ed80996c5e03829833220010fff9c751a99f399dad3529bda6438424194ed18236addfbe430343807aaad69

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe
Filesize
2.1MB

MD5
9df6e2fbb7e38964f35016bf91ef7424

SHA1
d0c1266dc46814bc6165cf6a69e90581228989a7

SHA256
3573825f31875d403832de8e06aabc2adbdf0c5279d80ea62dfcb1f159f06c1d

SHA512
b14c2224ae10c80429205a39791745b1627c1a487176c06aa105d0689e77fb0b86427e1a7d5aef5d06460070b3df4ebea41db67d54e221ea25979b3bb5318d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe
Filesize
2.1MB

MD5
9df6e2fbb7e38964f35016bf91ef7424

SHA1
d0c1266dc46814bc6165cf6a69e90581228989a7

SHA256
3573825f31875d403832de8e06aabc2adbdf0c5279d80ea62dfcb1f159f06c1d

SHA512
b14c2224ae10c80429205a39791745b1627c1a487176c06aa105d0689e77fb0b86427e1a7d5aef5d06460070b3df4ebea41db67d54e221ea25979b3bb5318d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\assistant\assistant_installer.exe
Filesize
2.1MB

MD5
9df6e2fbb7e38964f35016bf91ef7424

SHA1
d0c1266dc46814bc6165cf6a69e90581228989a7

SHA256
3573825f31875d403832de8e06aabc2adbdf0c5279d80ea62dfcb1f159f06c1d

SHA512
b14c2224ae10c80429205a39791745b1627c1a487176c06aa105d0689e77fb0b86427e1a7d5aef5d06460070b3df4ebea41db67d54e221ea25979b3bb5318d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\installer_prefs_include.json
Filesize
1KB

MD5
ddb372f1a196ea6ee1c59a21bae3a299

SHA1
90d7fc15564210a7188f49b608af46e3d2e8c2ef

SHA256
09b276292bd7ebfc8cd3c4eebca1763fc2e276d585aa8e9bcd91f8ceee743686

SHA512
cf25a94ed02e7a4cde6dda5a4365e9d5fe6b2e7903675caf2f1995de7275af3913122c0e9c984c533464a28986f9f02949653558d58d7bf4255aeee3b4fea499

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\installer_prefs_include.json.backup
Filesize
1KB

MD5
ddb372f1a196ea6ee1c59a21bae3a299

SHA1
90d7fc15564210a7188f49b608af46e3d2e8c2ef

SHA256
09b276292bd7ebfc8cd3c4eebca1763fc2e276d585aa8e9bcd91f8ceee743686

SHA512
cf25a94ed02e7a4cde6dda5a4365e9d5fe6b2e7903675caf2f1995de7275af3913122c0e9c984c533464a28986f9f02949653558d58d7bf4255aeee3b4fea499

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\opera_package
Filesize
86.8MB

MD5
7f98c2aa3a2b1a46caf94752d2e73907

SHA1
105b7b96c23d403008f603a1e3cc4c7162884fe3

SHA256
8f85c61fe1ca76f4c8e2dcb5f51758de73c85d25817cfab70540fa193d3ee417

SHA512
57f46f5af493f73472f7c664f12156cf8e18126a3f91e4c313d1ec185c78dad9301e09db38396cf811ada24eecd01b4b705384ca61da5f640c7ad38f3860b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302030149341\pref_default_overrides
Filesize
57B

MD5
f488c9f9d9d5e631484d4bf155f45442

SHA1
0f0e624770e47bea5186748a9de85c677dd84fa7

SHA256
e6f214ff5ccbbe6e7abcf309138cdcb46d3fe3915e9bbbe8dd3c15afb439f708

SHA512
d72d1daa86e650a0589f6991f7a7bb3b7ca3484d49bc0d0d703b28b8f399f3123df2bf3c949a899fab55bde7d888736f655e462e2cd02ade59bbf9e67df54064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030149322402356.dll
Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030149328181100.dll
Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030149344444244.dll
Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030149347401672.dll
Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030149366623604.dll
Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030150059061492.dll
Filesize
5.5MB

MD5
1c7944977fab5254479a6ea6a09ee144

SHA1
1351d08d36b3d1ea8bced9041486630b701ea7a0

SHA256
2f48658421e22346a005d01a92f63aa32a621e885ac93717c3726818725b7773

SHA512
868a0a614c326e4a52b95de26bcde8e99e173158d093a3a3cfb2f59079bf06e41c03c5bf1cc2541673677db03b9abeb150842d12c4665e973b9f5bb2e0894646

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302030150067353404.dll
Filesize
5.5MB

MD5
1c7944977fab5254479a6ea6a09ee144

SHA1
1351d08d36b3d1ea8bced9041486630b701ea7a0

SHA256
2f48658421e22346a005d01a92f63aa32a621e885ac93717c3726818725b7773

SHA512
868a0a614c326e4a52b95de26bcde8e99e173158d093a3a3cfb2f59079bf06e41c03c5bf1cc2541673677db03b9abeb150842d12c4665e973b9f5bb2e0894646

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
9cbefccac5dd0ad57aeff45fe8dcb0ea

SHA1
67fd7def906e32e1cbacaa4b2b2b658892bf31ed

SHA256
003d3d04797a3458f4a95fe0a5fad9fa527cbd2557b7beb999a5681d4c85e884

SHA512
aaefceffe59178f845f699a152eb55169d3a6e5de34c2ab3c83a69aa6aee0d0a82dcd4cbc94656030171774e13ad6b86c8418493438bba2fd5d3349065f33049

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
647B

MD5
88e360402a16f33f5bf4b4d0ffaf4a66

SHA1
47d4ecd27f59b81e2f13232bc7e7b5aefc8b0c4e

SHA256
34048bd2e336df1803d5cf30f9a8812016545e57b0f579b65f99d313b18e000e

SHA512
f99384df6ea6923469333b9093aaf7b1e0ded6eabcddcf7dbedeefd827764f99520d98e54d86513c90bdbacbbdfc29a788f2c69d50c4092cacf01c9f87ef1f87

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Navegador Opera.lnk
Filesize
1KB

MD5
bb5c86c41a6fd673749802e8f58af495

SHA1
ae0c714b458c6efa66c008137ab8a5bece89d2bb

SHA256
0617fd7b001fbda37b7de68b04c1a30d6d28285d5c9a114539edc2cd6dbca0e1

SHA512
cb89c4adb7d4832a4dad3b1581e72a4d43360ef758a7856521d7c2158c0138b5b3436507ec136c7422cd8f79cc142002406e7b45c762314cd5925b1eb6e8ddc2

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
b5d9f58a0124c4fb4e768999b4176445

SHA1
6cf72a392d64d58560327b17db1a56d649237984

SHA256
a5bc833a71dbc06d85d4f47c93aaf7dd548f4f122678b481975b2422a2242817

SHA512
32f9b73c0e1ff297eaf050818a43b21668ec06d406f19a822d9bbfdcae5d729967d1d8b8143a9e7092c26f59aaea850b35e063ff152f8b71b8fc6c4dbc649e61

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
b5d9f58a0124c4fb4e768999b4176445

SHA1
6cf72a392d64d58560327b17db1a56d649237984

SHA256
a5bc833a71dbc06d85d4f47c93aaf7dd548f4f122678b481975b2422a2242817

SHA512
32f9b73c0e1ff297eaf050818a43b21668ec06d406f19a822d9bbfdcae5d729967d1d8b8143a9e7092c26f59aaea850b35e063ff152f8b71b8fc6c4dbc649e61

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
b5d9f58a0124c4fb4e768999b4176445

SHA1
6cf72a392d64d58560327b17db1a56d649237984

SHA256
a5bc833a71dbc06d85d4f47c93aaf7dd548f4f122678b481975b2422a2242817

SHA512
32f9b73c0e1ff297eaf050818a43b21668ec06d406f19a822d9bbfdcae5d729967d1d8b8143a9e7092c26f59aaea850b35e063ff152f8b71b8fc6c4dbc649e61

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
b5d9f58a0124c4fb4e768999b4176445

SHA1
6cf72a392d64d58560327b17db1a56d649237984

SHA256
a5bc833a71dbc06d85d4f47c93aaf7dd548f4f122678b481975b2422a2242817

SHA512
32f9b73c0e1ff297eaf050818a43b21668ec06d406f19a822d9bbfdcae5d729967d1d8b8143a9e7092c26f59aaea850b35e063ff152f8b71b8fc6c4dbc649e61

Download Submit
\??\mailslot\opera_installer\C:\Users\Admin\AppData\Local\Programs\Opera
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1080-263-0x0000000000000000-mapping.dmp

Download
memory/1080-185-0x0000000000000000-mapping.dmp

Download
memory/1100-157-0x0000000000000000-mapping.dmp

Download
memory/1100-285-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1100-162-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1468-152-0x0000000000AD0000-0x0000000000EB8000-memory.dmp

Filesize
3.9MB

Download
memory/1468-146-0x0000000000000000-mapping.dmp

Download
memory/1468-166-0x0000000000AD0000-0x0000000000EB8000-memory.dmp

Filesize
3.9MB

Download
memory/1492-190-0x0000000000000000-mapping.dmp

Download
memory/1672-282-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1672-170-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1672-168-0x0000000000000000-mapping.dmp

Download
memory/2356-277-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2356-153-0x0000000000000000-mapping.dmp

Download
memory/2356-159-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2500-182-0x0000000000000000-mapping.dmp

Download
memory/2788-252-0x0000000000000000-mapping.dmp

Download
memory/3344-232-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-279-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-264-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-260-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-271-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-215-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-266-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-283-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-291-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-246-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3344-202-0x0000000000000000-mapping.dmp

Download
memory/3404-193-0x0000000000000000-mapping.dmp

Download
memory/3604-292-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3604-176-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3604-174-0x0000000000000000-mapping.dmp

Download
memory/3604-189-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3832-235-0x0000000000000000-mapping.dmp

Download
memory/4080-269-0x0000000000000000-mapping.dmp

Download
memory/4084-212-0x0000000000000000-mapping.dmp

Download
memory/4244-167-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4244-161-0x0000000000000000-mapping.dmp

Download
memory/4364-199-0x0000000000000000-mapping.dmp

Download
memory/4428-205-0x0000000000650000-0x0000000000A38000-memory.dmp

Filesize
3.9MB

Download
memory/4428-137-0x0000000000650000-0x0000000000A38000-memory.dmp

Filesize
3.9MB

Download
memory/4428-140-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4428-132-0x0000000000000000-mapping.dmp

Download
memory/4428-141-0x0000000006750000-0x0000000006753000-memory.dmp

Filesize
12KB

Download
memory/4428-142-0x0000000000650000-0x0000000000A38000-memory.dmp

Filesize
3.9MB

Download
memory/4468-179-0x0000000000000000-mapping.dmp

Download
memory/4512-274-0x0000000000000000-mapping.dmp

Download
memory/4544-222-0x0000000000000000-mapping.dmp

Download
memory/4572-253-0x0000000000000000-mapping.dmp

Download
memory/4780-270-0x0000000000000000-mapping.dmp

Download
memory/5020-143-0x0000000000000000-mapping.dmp

Download