318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2023, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.871-Installer-1.0.6-global.exe
Size

23.6MB
MD5

7a4472a78d0651e11d20aa08e43cc045
SHA1

aab1d5f80d7399ae2c1982201733be7681d100b1
SHA256

318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96
SHA512

c152c9d21b0615548173dcc61accb1a1afd5b6f98e6ec21f6a7119536397f07a54ad4087669716c3344dd338ce4f24cecf9989d472f65eaa18c87d496f23c681
SSDEEP

393216:gXQLpnUN/n8IPfs/dQETVlOBbpFEj9GZ1GphRqV56Hpk7IXOzDnKI17fyVS:ggLFUp8aHExiTI3qqHp6zvKcfyVS

Score

8^/10

discovery spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	TLauncher-2.871-Installer-1.0.6-global.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AdditionalExecuteTL.exe

Executes dropped EXE 15 IoCs

pid	Process
4108	irsetup.exe
1012	AdditionalExecuteTL.exe
1456	irsetup.exe
3732	opera-installer-bro.exe
2300	opera-installer-bro.exe
1832	opera-installer-bro.exe
1620	opera-installer-bro.exe
3648	opera-installer-bro.exe
2404	TLauncher.exe
1272	_sfx.exe
3524	assistant_installer.exe
2268	assistant_installer.exe
1180	TLauncher.exe
3576	installer.exe
2484	installer.exe

Loads dropped DLL 11 IoCs

pid	Process
4108	irsetup.exe
4108	irsetup.exe
4108	irsetup.exe
1456	irsetup.exe
3732	opera-installer-bro.exe
2300	opera-installer-bro.exe
1832	opera-installer-bro.exe
1620	opera-installer-bro.exe
3648	opera-installer-bro.exe
3576	installer.exe
2484	installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022f43-133.dat	upx
behavioral2/files/0x0007000000022f43-134.dat	upx
behavioral2/memory/4108-137-0x00000000001E0000-0x00000000005C8000-memory.dmp	upx
behavioral2/memory/4108-142-0x00000000001E0000-0x00000000005C8000-memory.dmp	upx
behavioral2/files/0x0006000000023066-148.dat	upx
behavioral2/files/0x0006000000023066-147.dat	upx
behavioral2/memory/1456-152-0x00000000004A0000-0x0000000000888000-memory.dmp	upx
behavioral2/files/0x000600000002306a-154.dat	upx
behavioral2/files/0x000600000002306a-155.dat	upx
behavioral2/memory/3732-157-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/1456-158-0x00000000004A0000-0x0000000000888000-memory.dmp	upx
behavioral2/files/0x000600000002306a-160.dat	upx
behavioral2/memory/2300-161-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/files/0x0006000000023079-164.dat	upx
behavioral2/files/0x0006000000023079-165.dat	upx
behavioral2/memory/1832-167-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/files/0x000600000002306a-169.dat	upx
behavioral2/files/0x000600000002306a-174.dat	upx
behavioral2/memory/1620-175-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/3648-177-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/2300-179-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/4108-184-0x00000000001E0000-0x00000000005C8000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\D:	installer.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4108	irsetup.exe
4108	irsetup.exe
4108	irsetup.exe
4108	irsetup.exe
4108	irsetup.exe
4108	irsetup.exe
4108	irsetup.exe
1012	AdditionalExecuteTL.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
3732	opera-installer-bro.exe
2300	opera-installer-bro.exe
1832	opera-installer-bro.exe
1620	opera-installer-bro.exe
3648	opera-installer-bro.exe
2404	TLauncher.exe
4844	javaw.exe
1272	_sfx.exe
3524	assistant_installer.exe
2268	assistant_installer.exe
4844	javaw.exe
3576	installer.exe
1596	javaw.exe
2484	installer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 4108	788	TLauncher-2.871-Installer-1.0.6-global.exe	80
PID 788 wrote to memory of 4108	788	TLauncher-2.871-Installer-1.0.6-global.exe	80
PID 788 wrote to memory of 4108	788	TLauncher-2.871-Installer-1.0.6-global.exe	80
PID 4108 wrote to memory of 1012	4108	irsetup.exe	93
PID 4108 wrote to memory of 1012	4108	irsetup.exe	93
PID 4108 wrote to memory of 1012	4108	irsetup.exe	93
PID 1012 wrote to memory of 1456	1012	AdditionalExecuteTL.exe	94
PID 1012 wrote to memory of 1456	1012	AdditionalExecuteTL.exe	94
PID 1012 wrote to memory of 1456	1012	AdditionalExecuteTL.exe	94
PID 1456 wrote to memory of 3732	1456	irsetup.exe	95
PID 1456 wrote to memory of 3732	1456	irsetup.exe	95
PID 1456 wrote to memory of 3732	1456	irsetup.exe	95
PID 3732 wrote to memory of 2300	3732	opera-installer-bro.exe	96
PID 3732 wrote to memory of 2300	3732	opera-installer-bro.exe	96
PID 3732 wrote to memory of 2300	3732	opera-installer-bro.exe	96
PID 3732 wrote to memory of 1832	3732	opera-installer-bro.exe	97
PID 3732 wrote to memory of 1832	3732	opera-installer-bro.exe	97
PID 3732 wrote to memory of 1832	3732	opera-installer-bro.exe	97
PID 3732 wrote to memory of 1620	3732	opera-installer-bro.exe	98
PID 3732 wrote to memory of 1620	3732	opera-installer-bro.exe	98
PID 3732 wrote to memory of 1620	3732	opera-installer-bro.exe	98
PID 1620 wrote to memory of 3648	1620	opera-installer-bro.exe	99
PID 1620 wrote to memory of 3648	1620	opera-installer-bro.exe	99
PID 1620 wrote to memory of 3648	1620	opera-installer-bro.exe	99
PID 4108 wrote to memory of 2404	4108	irsetup.exe	101
PID 4108 wrote to memory of 2404	4108	irsetup.exe	101
PID 4108 wrote to memory of 2404	4108	irsetup.exe	101
PID 2404 wrote to memory of 4844	2404	TLauncher.exe	102
PID 2404 wrote to memory of 4844	2404	TLauncher.exe	102
PID 3732 wrote to memory of 1272	3732	opera-installer-bro.exe	103
PID 3732 wrote to memory of 1272	3732	opera-installer-bro.exe	103
PID 3732 wrote to memory of 1272	3732	opera-installer-bro.exe	103
PID 3732 wrote to memory of 3524	3732	opera-installer-bro.exe	104
PID 3732 wrote to memory of 3524	3732	opera-installer-bro.exe	104
PID 3732 wrote to memory of 3524	3732	opera-installer-bro.exe	104
PID 3524 wrote to memory of 2268	3524	assistant_installer.exe	105
PID 3524 wrote to memory of 2268	3524	assistant_installer.exe	105
PID 3524 wrote to memory of 2268	3524	assistant_installer.exe	105
PID 1180 wrote to memory of 1596	1180	TLauncher.exe	107
PID 1180 wrote to memory of 1596	1180	TLauncher.exe	107
PID 1620 wrote to memory of 3576	1620	opera-installer-bro.exe	108
PID 1620 wrote to memory of 3576	1620	opera-installer-bro.exe	108
PID 3576 wrote to memory of 2484	3576	installer.exe	109
PID 3576 wrote to memory of 2484	3576	installer.exe	109

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:24771453" "__IRSID:S-1-5-21-2891029575-1462575-1165213807-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-2891029575-1462575-1165213807-1000"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.37 --initial-client-data=0x320,0x344,0x348,0x2b8,0x34c,0x6f30e428,0x6f30e438,0x6f30e444
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=3732 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230212011736" --session-guid=7c66166d-1753-4cea-bcbe-6ac2967b9eb8 --server-tracking-blob=N2EwYTM0MzI3OWZjOGJhMWIzZmQ3ODhlNmNkMjg4NjY3MDc5YTQ4MmZlNWY5N2ZlOTc5ZjQ2N2M2NmFhM2FlYjp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzYxNjEwNTMuOTk5NSIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiY2FkNjk1Y2UtNjBiNy00Mzk2LTlhNWItMzkyM2MyMjJhMDViIn0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=BC05000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.37 --initial-client-data=0x34c,0x350,0x354,0x31c,0x358,0x6e7ee428,0x6e7ee438,0x6e7ee444
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.37\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.37\installer.exe" --backend --initial-pid=3732 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361" --session-guid=7c66166d-1753-4cea-bcbe-6ac2967b9eb8 --server-tracking-blob=N2EwYTM0MzI3OWZjOGJhMWIzZmQ3ODhlNmNkMjg4NjY3MDc5YTQ4MmZlNWY5N2ZlOTc5ZjQ2N2M2NmFhM2FlYjp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzYxNjEwNTMuOTk5NSIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiY2FkNjk1Y2UtNjBiNy00Mzk2LTlhNWItMzkyM2MyMjJhMDViIn0= --silent --desktopshortcut=1 --install-subfolder=95.0.4635.37
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.37\installer.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.37\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.37 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2c4,0x7ff9bda0a908,0x7ff9bda0a918,0x7ff9bda0a928
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\_sfx.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x11c2dc0,0x11c2dd0,0x11c2ddc
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4844

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
03450676d8f864fd212eed472d53cd77

SHA1
779a0a55dc5361dfa6bdf5cc274b4199d5c9e0ae

SHA256
785fc2dfdad9bdc332135e3430a896b4f00cf60b58113cb84ce81adeb947af5d

SHA512
9cd864ba6254eb18308b4d8f08e12e293fdb3508e097ef86cf97158eec192a09e05f1cbd45bb082fd80c3a6f09d64837dd0970eeef0f242cfe252223a23a842f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
1f4ed1c10e0b0c3cb9f5e9b8a7467e77

SHA1
16eb955e1825fbc737db36e82fdf8778c80e9fbb

SHA256
03eb24ad11bba3590d0100ff5bed07fa895bbff5ae7af13d5121deb4b509e918

SHA512
06c9be897247ccc5d066b597c7c485f2cd491b3ceed849d4f8ab02120715138753dea5236d43b2ec72500120792b14a25a5165a247b7b5395617e461339fefc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
434B

MD5
add9387b1b0e509698e4dd5128e20dc6

SHA1
8ab01e51f0bc27d771e343780d0e39c22ecc52a6

SHA256
bc28bdacf387c65be4ed3bc1df55f8e6d9d7891f7a8c7514438d490fd86e7683

SHA512
7d82ea7d83d6e6b018e8c746109710bccfa8669c695cf6b6b5ef053565a0a09d03efdd7a004f2627440c4ed0ca41848d5294664965d78d1ad027bf841cf09429

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.37\installer.exe

Filesize
6.2MB

MD5
47aae2b0e982e612cd33f38e019cc09f

SHA1
b5f02e2a9542401ee173ebb031b339cd7777f525

SHA256
2fe3ae2fc849195d5cdbc9644a762120a6fca55e6a16588895d013a50c28b06d

SHA512
f448fbadd906c896ce3bc301cb3ad989905c2235dd496891e645e3b2c4bb16b15e6ad9a1f11f2d3772077c7ffe5db4c06e695261d805a7c2eaa0ae7991a9beab

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.37\installer.exe

Filesize
6.2MB

MD5
47aae2b0e982e612cd33f38e019cc09f

SHA1
b5f02e2a9542401ee173ebb031b339cd7777f525

SHA256
2fe3ae2fc849195d5cdbc9644a762120a6fca55e6a16588895d013a50c28b06d

SHA512
f448fbadd906c896ce3bc301cb3ad989905c2235dd496891e645e3b2c4bb16b15e6ad9a1f11f2d3772077c7ffe5db4c06e695261d805a7c2eaa0ae7991a9beab

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\_sfx.exe

Filesize
1.7MB

MD5
0238df215bf6943892daf85de8ad433a

SHA1
3d905e4e2c0e9170df61b7a199321847691f945e

SHA256
a7818aca6acbe347df13d51d9750f6a852c5aa2a58580f7f2015113e0a3e06d7

SHA512
fc6c12e359b9a4ce84ef878f29648a4c97c38fd12ed80996c5e03829833220010fff9c751a99f399dad3529bda6438424194ed18236addfbe430343807aaad69

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\_sfx.exe

Filesize
1.7MB

MD5
0238df215bf6943892daf85de8ad433a

SHA1
3d905e4e2c0e9170df61b7a199321847691f945e

SHA256
a7818aca6acbe347df13d51d9750f6a852c5aa2a58580f7f2015113e0a3e06d7

SHA512
fc6c12e359b9a4ce84ef878f29648a4c97c38fd12ed80996c5e03829833220010fff9c751a99f399dad3529bda6438424194ed18236addfbe430343807aaad69

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
9df6e2fbb7e38964f35016bf91ef7424

SHA1
d0c1266dc46814bc6165cf6a69e90581228989a7

SHA256
3573825f31875d403832de8e06aabc2adbdf0c5279d80ea62dfcb1f159f06c1d

SHA512
b14c2224ae10c80429205a39791745b1627c1a487176c06aa105d0689e77fb0b86427e1a7d5aef5d06460070b3df4ebea41db67d54e221ea25979b3bb5318d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
9df6e2fbb7e38964f35016bf91ef7424

SHA1
d0c1266dc46814bc6165cf6a69e90581228989a7

SHA256
3573825f31875d403832de8e06aabc2adbdf0c5279d80ea62dfcb1f159f06c1d

SHA512
b14c2224ae10c80429205a39791745b1627c1a487176c06aa105d0689e77fb0b86427e1a7d5aef5d06460070b3df4ebea41db67d54e221ea25979b3bb5318d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
9df6e2fbb7e38964f35016bf91ef7424

SHA1
d0c1266dc46814bc6165cf6a69e90581228989a7

SHA256
3573825f31875d403832de8e06aabc2adbdf0c5279d80ea62dfcb1f159f06c1d

SHA512
b14c2224ae10c80429205a39791745b1627c1a487176c06aa105d0689e77fb0b86427e1a7d5aef5d06460070b3df4ebea41db67d54e221ea25979b3bb5318d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\installer_prefs_include.json

Filesize
1KB

MD5
64799fbafdf929ff058cdc9d2db28387

SHA1
5161fed6222fd37bbda2dcd3859c0d8c640655fe

SHA256
d3db52fc90e8187e985f5bd86e4050f2e634641ed5c21f20e03b9548bf801c7b

SHA512
7224019bc96c6499175dd71056647981bc3a59fc97897aaf1804d3be13db2ace778d6960f25985f5bfa14bf5632ec8c431dd693204cd424af82a03d1788a5bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\installer_prefs_include.json.backup

Filesize
1KB

MD5
64799fbafdf929ff058cdc9d2db28387

SHA1
5161fed6222fd37bbda2dcd3859c0d8c640655fe

SHA256
d3db52fc90e8187e985f5bd86e4050f2e634641ed5c21f20e03b9548bf801c7b

SHA512
7224019bc96c6499175dd71056647981bc3a59fc97897aaf1804d3be13db2ace778d6960f25985f5bfa14bf5632ec8c431dd693204cd424af82a03d1788a5bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\opera_package

Filesize
86.8MB

MD5
d952728a4ce9fa6fd1df1e71f2cdad79

SHA1
62a0cdac813c83cea2f5a406a6940982f33d839a

SHA256
f115d42f06f27045cf1cf04bbfa4591789547ddb3614be6c912fa75bd4eb4cb6

SHA512
8720da841a9d31832b943fb56271e3efcb05520d0d5506a5ce823d8d5e909ebafd796d3d2b8afd82e2479329b84ee1813de5380598a7271ca9d5b64a2d3b4534

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302120117361\pref_default_overrides

Filesize
57B

MD5
f488c9f9d9d5e631484d4bf155f45442

SHA1
0f0e624770e47bea5186748a9de85c677dd84fa7

SHA256
e6f214ff5ccbbe6e7abcf309138cdcb46d3fe3915e9bbbe8dd3c15afb439f708

SHA512
d72d1daa86e650a0589f6991f7a7bb3b7ca3484d49bc0d0d703b28b8f399f3123df2bf3c949a899fab55bde7d888736f655e462e2cd02ade59bbf9e67df54064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120117327853732.dll

Filesize
4.6MB

MD5
5ff9275c5cee292fff9034f03bd847e1

SHA1
37bf88e062278882492823c7039b7cf374756ae0

SHA256
2309501e723a011f4bf2b505e178cbb97af4d798a8720d344f2730c4d756ee08

SHA512
f58e5981e25cd6cdd5edb9d9974f137615dee7516d221bf0df08a7425ec68361f29d7b5ca1b835c476fcbcee0df4a028bfa5308867fb3976aaba67cbf8b8dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120117344262300.dll

Filesize
4.6MB

MD5
5ff9275c5cee292fff9034f03bd847e1

SHA1
37bf88e062278882492823c7039b7cf374756ae0

SHA256
2309501e723a011f4bf2b505e178cbb97af4d798a8720d344f2730c4d756ee08

SHA512
f58e5981e25cd6cdd5edb9d9974f137615dee7516d221bf0df08a7425ec68361f29d7b5ca1b835c476fcbcee0df4a028bfa5308867fb3976aaba67cbf8b8dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120117358951832.dll

Filesize
4.6MB

MD5
5ff9275c5cee292fff9034f03bd847e1

SHA1
37bf88e062278882492823c7039b7cf374756ae0

SHA256
2309501e723a011f4bf2b505e178cbb97af4d798a8720d344f2730c4d756ee08

SHA512
f58e5981e25cd6cdd5edb9d9974f137615dee7516d221bf0df08a7425ec68361f29d7b5ca1b835c476fcbcee0df4a028bfa5308867fb3976aaba67cbf8b8dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120117368321620.dll

Filesize
4.6MB

MD5
5ff9275c5cee292fff9034f03bd847e1

SHA1
37bf88e062278882492823c7039b7cf374756ae0

SHA256
2309501e723a011f4bf2b505e178cbb97af4d798a8720d344f2730c4d756ee08

SHA512
f58e5981e25cd6cdd5edb9d9974f137615dee7516d221bf0df08a7425ec68361f29d7b5ca1b835c476fcbcee0df4a028bfa5308867fb3976aaba67cbf8b8dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120117375513648.dll

Filesize
4.6MB

MD5
5ff9275c5cee292fff9034f03bd847e1

SHA1
37bf88e062278882492823c7039b7cf374756ae0

SHA256
2309501e723a011f4bf2b505e178cbb97af4d798a8720d344f2730c4d756ee08

SHA512
f58e5981e25cd6cdd5edb9d9974f137615dee7516d221bf0df08a7425ec68361f29d7b5ca1b835c476fcbcee0df4a028bfa5308867fb3976aaba67cbf8b8dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120118456263576.dll

Filesize
5.5MB

MD5
7ee1a05f717605b8bb0a2282035be402

SHA1
9885b516e5853e69ad4dd61e932f445d0a5dd76d

SHA256
9abfb792127651d3f1ba83239485574fa597db9362935dc3b62a2667bff22787

SHA512
900616610198fe86cb0992e20305dce9cd46d5acff9bb89b8541da4f83f39d8831ae963c50f489d53d9640431b90b00463adef00ff14dbdcd2f5cc9f8ddeeb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302120118461412484.dll

Filesize
5.5MB

MD5
7ee1a05f717605b8bb0a2282035be402

SHA1
9885b516e5853e69ad4dd61e932f445d0a5dd76d

SHA256
9abfb792127651d3f1ba83239485574fa597db9362935dc3b62a2667bff22787

SHA512
900616610198fe86cb0992e20305dce9cd46d5acff9bb89b8541da4f83f39d8831ae963c50f489d53d9640431b90b00463adef00ff14dbdcd2f5cc9f8ddeeb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
b03fa114fbfdf310448a0ac2c024dfaf

SHA1
3db8f2736cca8011ae40cca8c8c916aa895b6f05

SHA256
111463bf9857b64ccb691b4a6ad757b2cd6e2851baf418d0040b6cddb9d7c69c

SHA512
5c8495719a9c334e802e6c120856ef96301ca1b23e57e8aeff215e9080402249120626eb83e396f8be860fe3b4099be197d6f749612fb8de09b4b06417747cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
643B

MD5
32872c34bd5150411ad0071795ecc4c7

SHA1
23d22975b7918dd8db098ad1bf0c36ed71ebb166

SHA256
681708cc3b67759687605271ce1bb45cf94d163bbeafd63e0f8e4059140bd997

SHA512
a71c19915d031f30972e4cee9cc6e147e2c3d269e3f48fa132c06eda45ac375f4eb5f30c8621889fc6b10a751ef31363af1c25ce5baf61b3334c48928f6ba06e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar

Filesize
4KB

MD5
04177054e180d09e3998808efa0401c7

SHA1
0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8

SHA256
0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08

SHA512
3f44a932d8c00cfeee2eb057bcd7c301a2d029063e0a916e1e20b3aec4877d19d67a2fd8aaf58fa2d5a00133d1602128a7f50912ffb6cabc7b0fdc7fbda3f8a1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar

Filesize
832KB

MD5
1b8584d5c939ec28be588fbbfda4e085

SHA1
d63bba78716205bfd52c0caac24cfec48778e83c

SHA256
3bd4232a2091ffc6c2a95fe96080347887906a27829da4f907ad9b868fb879af

SHA512
350093993ce719d1e44784dc774878d5187e1096535c0366aa2752257dcf9a3d2e2d8ec661957f530a866b574a6342680ba5a4a5bd59542cd0aff3b83416f986

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar

Filesize
2KB

MD5
289075e48b909e9e74e6c915b3631d2e

SHA1
6975da39a7040257bd51d21a231b76c915872d38

SHA256
91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff

SHA512
e126b7ccf3e42fd1984a0beef1004a7269a337c202e59e04e8e2af714280d2f2d8d2ba5e6f59481b8dcd34aaf35c966a688d0b48ec7e96f102c274dc0d3b381e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\doubleRunningProtection.txt

Filesize
13B

MD5
af81528ee0db492a69c0787c63bd20e5

SHA1
a999b38936a308981347801457f919deff740529

SHA256
b1b93d2977709b57fad6ad7ab11c86a21fe68b5d50b9d120fc9f38803c206077

SHA512
64c643f6d7d4854cd7a506084cc985fed1f60359b83758f75e23371974596dfe1de4ab7990ce077bdf12d5541b7e39922b85f577c48a40254d18c1bd6444c2e4

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
adb6c26aba74acbb4da1f775d45c29f5

SHA1
6e7b5e0345ead590d81f0327241cd7f1befecd5e

SHA256
6faa25af4020fcb7d99f63255bf9fa542bbacd82b4aaa4e75ddaaa3114544f77

SHA512
652e69303275ee8f28bc27f332886043841bd80a212fe1363db03df4ad5b79991df08ff3285da5c9077faaa453529a36a17f2aafc4cceb90f4d8fa6b23e9c1e6

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
adb6c26aba74acbb4da1f775d45c29f5

SHA1
6e7b5e0345ead590d81f0327241cd7f1befecd5e

SHA256
6faa25af4020fcb7d99f63255bf9fa542bbacd82b4aaa4e75ddaaa3114544f77

SHA512
652e69303275ee8f28bc27f332886043841bd80a212fe1363db03df4ad5b79991df08ff3285da5c9077faaa453529a36a17f2aafc4cceb90f4d8fa6b23e9c1e6

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
adb6c26aba74acbb4da1f775d45c29f5

SHA1
6e7b5e0345ead590d81f0327241cd7f1befecd5e

SHA256
6faa25af4020fcb7d99f63255bf9fa542bbacd82b4aaa4e75ddaaa3114544f77

SHA512
652e69303275ee8f28bc27f332886043841bd80a212fe1363db03df4ad5b79991df08ff3285da5c9077faaa453529a36a17f2aafc4cceb90f4d8fa6b23e9c1e6

Download Submit
memory/1456-158-0x00000000004A0000-0x0000000000888000-memory.dmp

Filesize
3.9MB

Download
memory/1456-152-0x00000000004A0000-0x0000000000888000-memory.dmp

Filesize
3.9MB

Download
memory/1596-216-0x0000000003020000-0x0000000004020000-memory.dmp

Filesize
16.0MB

Download
memory/1596-252-0x0000000003020000-0x0000000004020000-memory.dmp

Filesize
16.0MB

Download
memory/1620-175-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1832-167-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2300-161-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2300-179-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3648-177-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3732-157-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4108-184-0x00000000001E0000-0x00000000005C8000-memory.dmp

Filesize
3.9MB

Download
memory/4108-142-0x00000000001E0000-0x00000000005C8000-memory.dmp

Filesize
3.9MB

Download
memory/4108-141-0x00000000063F0000-0x00000000063F3000-memory.dmp

Filesize
12KB

Download
memory/4108-140-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4108-137-0x00000000001E0000-0x00000000005C8000-memory.dmp

Filesize
3.9MB

Download
memory/4844-197-0x00000000030F0000-0x00000000040F0000-memory.dmp

Filesize
16.0MB

Download
memory/4844-205-0x00000000030F0000-0x00000000040F0000-memory.dmp

Filesize
16.0MB

Download
memory/4844-234-0x00000000030F0000-0x00000000040F0000-memory.dmp

Filesize
16.0MB

Download
memory/4844-240-0x00000000030F0000-0x00000000040F0000-memory.dmp

Filesize
16.0MB

Download
memory/4844-220-0x00000000030F0000-0x00000000040F0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads