bazarbackdoor | a4ff6ac33f545c591a3974d52f83f751abbba7b3ad33bc0b47611dcd620cd8db

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-03-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.876-Installer-1.0.7.exe
Size

22.7MB
MD5

d2ed0869a108f2abfa557e90595f90a6
SHA1

178bb5c3ca43537803110e9d24446ededfc65073
SHA256

a4ff6ac33f545c591a3974d52f83f751abbba7b3ad33bc0b47611dcd620cd8db
SHA512

09c56700012252e1b88119b597410b86412b5ae9cd27585d49e8567160d56c34df4d49d42bca207acc38ee721d9a269d262e0bb113a967d260d58f93113515be
SSDEEP

393216:AXHgRSooP0wpAVl/Pfs/dQETVlOBbpFEjdGphRqV56HpkvQFa2Vj4h2cO:A3IdO0wqfHHExi73qqHpU2Vj4h+

Score

10^/10

bazarbackdoor adware backdoor discovery persistence spyware stealer upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7154985.tmp\jre-windows.exe	BazarBackdoorVar3
C:\Windows\Installer\6db6c2.msi	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

46 2616 msiexec.exe
Downloads MZ/PE file

flow	pid	process
46	2616	msiexec.exe

Executes dropped EXE 23 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exejre-windows.exe_sfx.exeassistant_installer.exeassistant_installer.exejre-windows.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
1760	irsetup.exe
1804	BrowserInstaller.exe
1108	irsetup.exe
1920	opera-installer-bro.exe
1156	opera-installer-bro.exe
664	opera-installer-bro.exe
2588	opera-installer-bro.exe
2684	opera-installer-bro.exe
2336	jre-windows.exe
2628	_sfx.exe
2252	assistant_installer.exe
2352	assistant_installer.exe
2384	jre-windows.exe
2808	installer.exe
2600	bspatch.exe
2708	unpack200.exe
2732	unpack200.exe
2736	unpack200.exe
2788	unpack200.exe
3000	unpack200.exe
2260	unpack200.exe
3020	unpack200.exe
1476	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.876-Installer-1.0.7.exeirsetup.exeBrowserInstaller.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exejre-windows.exeassistant_installer.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exe

pid	process
316	TLauncher-2.876-Installer-1.0.7.exe
316	TLauncher-2.876-Installer-1.0.7.exe
316	TLauncher-2.876-Installer-1.0.7.exe
316	TLauncher-2.876-Installer-1.0.7.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1804	BrowserInstaller.exe
1804	BrowserInstaller.exe
1804	BrowserInstaller.exe
1804	BrowserInstaller.exe
1108	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
1920	opera-installer-bro.exe
1920	opera-installer-bro.exe
1156	opera-installer-bro.exe
1920	opera-installer-bro.exe
664	opera-installer-bro.exe
1920	opera-installer-bro.exe
2588	opera-installer-bro.exe
2588	opera-installer-bro.exe
2684	opera-installer-bro.exe
1760	irsetup.exe
1920	opera-installer-bro.exe
1920	opera-installer-bro.exe
1920	opera-installer-bro.exe
1920	opera-installer-bro.exe
2336	jre-windows.exe
2252	assistant_installer.exe
1248
2416	MsiExec.exe
2416	MsiExec.exe
2416	MsiExec.exe
2616	msiexec.exe
2600	bspatch.exe
2600	bspatch.exe
2600	bspatch.exe
2808	installer.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe
2708	unpack200.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0044-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0091-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0099-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1760-249-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/1760-368-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/1760-385-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/1760-386-0x0000000000140000-0x0000000000528000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1760-440-0x0000000000140000-0x0000000000528000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1108-485-0x0000000001060000-0x0000000001448000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
behavioral1/memory/1920-1046-0x0000000001070000-0x00000000015B5000-memory.dmp	upx
behavioral1/memory/664-1080-0x0000000000D30000-0x0000000001275000-memory.dmp	upx
behavioral1/memory/2588-1251-0x0000000001070000-0x00000000015B5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1156-1248-0x0000000001070000-0x00000000015B5000-memory.dmp	upx
behavioral1/memory/1108-1246-0x0000000001060000-0x0000000001448000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1760-1081-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/2684-1405-0x0000000001070000-0x00000000015B5000-memory.dmp	upx
behavioral1/memory/1760-1415-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/1760-1450-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/1760-1613-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/1108-1623-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/2600-2020-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2600-2033-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

opera-installer-bro.exemsiexec.exeopera-installer-bro.exe

description	ioc	process
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exejavaw.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_351\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7225233\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ucrtbase.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7225233\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\asm.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\javaws.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-sysinfo-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jsse.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\cryptix.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\dom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\libpng.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libxml2.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\public_suffix.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jopt-simple.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\flavormap.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\webkit.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\ecc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\joni.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-util-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jcup.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\java.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libffi.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\rmiregistry.exe	installer.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIC6FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB6E.tmp	msiexec.exe
File created	C:\Windows\Installer\6db6c6.msi	msiexec.exe
File created	C:\Windows\Installer\6db6c2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6db6c2.msi	msiexec.exe
File created	C:\Windows\Installer\6db6c4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exejre-windows.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_33"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_68"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_48"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_32"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0074-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_87"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_64"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0070-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_56"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0058-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_35"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_86"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_06"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_05"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0045-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0098-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0094-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0089-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_51"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_33"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_11"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_65"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0099-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_51"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_17"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_26"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0063-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_04"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_18"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_26"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_11"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exeopera-installer-bro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeCreateTokenPrivilege	2384	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2384	jre-windows.exe
Token: SeLockMemoryPrivilege	2384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2384	jre-windows.exe
Token: SeMachineAccountPrivilege	2384	jre-windows.exe
Token: SeTcbPrivilege	2384	jre-windows.exe
Token: SeSecurityPrivilege	2384	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2384	jre-windows.exe
Token: SeLoadDriverPrivilege	2384	jre-windows.exe
Token: SeSystemProfilePrivilege	2384	jre-windows.exe
Token: SeSystemtimePrivilege	2384	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2384	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2384	jre-windows.exe
Token: SeCreatePagefilePrivilege	2384	jre-windows.exe
Token: SeCreatePermanentPrivilege	2384	jre-windows.exe
Token: SeBackupPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	2384	jre-windows.exe
Token: SeShutdownPrivilege	2384	jre-windows.exe
Token: SeDebugPrivilege	2384	jre-windows.exe
Token: SeAuditPrivilege	2384	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2384	jre-windows.exe
Token: SeChangeNotifyPrivilege	2384	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2384	jre-windows.exe
Token: SeUndockPrivilege	2384	jre-windows.exe
Token: SeSyncAgentPrivilege	2384	jre-windows.exe
Token: SeEnableDelegationPrivilege	2384	jre-windows.exe
Token: SeManageVolumePrivilege	2384	jre-windows.exe
Token: SeImpersonatePrivilege	2384	jre-windows.exe
Token: SeCreateGlobalPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exe

pid	process
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1760	irsetup.exe
1108	irsetup.exe
1108	irsetup.exe
2384	jre-windows.exe
2384	jre-windows.exe
2384	jre-windows.exe
2384	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.876-Installer-1.0.7.exeirsetup.exeBrowserInstaller.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exe

description	pid	process	target process
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 316 wrote to memory of 1760	316	TLauncher-2.876-Installer-1.0.7.exe	irsetup.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1804	1760	irsetup.exe	BrowserInstaller.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1804 wrote to memory of 1108	1804	BrowserInstaller.exe	irsetup.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1108 wrote to memory of 1920	1108	irsetup.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 1156	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 664	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 1920 wrote to memory of 2588	1920	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 2588 wrote to memory of 2684	2588	opera-installer-bro.exe	opera-installer-bro.exe
PID 1760 wrote to memory of 2336	1760	irsetup.exe	jre-windows.exe
PID 1760 wrote to memory of 2336	1760	irsetup.exe	jre-windows.exe
PID 1760 wrote to memory of 2336	1760	irsetup.exe	jre-windows.exe
PID 1760 wrote to memory of 2336	1760	irsetup.exe	jre-windows.exe
PID 1920 wrote to memory of 2628	1920	opera-installer-bro.exe	_sfx.exe
PID 1920 wrote to memory of 2628	1920	opera-installer-bro.exe	_sfx.exe
PID 1920 wrote to memory of 2628	1920	opera-installer-bro.exe	_sfx.exe
PID 1920 wrote to memory of 2628	1920	opera-installer-bro.exe	_sfx.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7.exe" "__IRCT:3" "__IRTSS:23742686" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816338 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1840798" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.80 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x718924a8,0x718924b8,0x718924c4
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1156
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:664
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1920 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230319105658" --session-guid=85b3ae4c-82ab-470b-9985-09a54b3a9894 --server-tracking-blob=NWQ1MThjZGMzODlmMDZiZmM3NzdmMmU0ZWVjNjNmMTI5NmU2MWRiNGU1ZjFjMGUyM2JjNTI1MzAxNWFkODJjMTp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjciLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjc5MjE5ODEyLjk1MjQiLCJ1c2VyYWdlbnQiOiJTZXR1cCBGYWN0b3J5IDkuMCIsInV0bSI6eyJjYW1wYWlnbiI6Ik9wZXJhRGVza3RvcCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik1TVEwifSwidXVpZCI6ImZiYTBlYmQ2LTUxZmItNGMyNS1hNDY3LTU1MTRlNDMzNzZmZiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1403000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.80 --initial-client-data=0x1b0,0x1b4,0x1b8,0x178,0x1bc,0x70df24a8,0x70df24b8,0x70df24c4
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\_sfx.exe"
        6⤵
        Executes dropped EXE
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2252
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\jds7154985.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7154985.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2384

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.50 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0xb66c28,0xb66c38,0xb66c44
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2616
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 3296039100A7478C56E1AC15A5FCFC51
  2⤵
  - Loads dropped DLL
  PID:2416
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2808
- - C:\ProgramData\Oracle\Java\installcache_x64\7206762.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2600
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2708
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3000
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:3020
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe

Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe

Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
182B

MD5
7fadb9e200dbbd992058cefa41212796

SHA1
e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4

SHA256
b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b

SHA512
94b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
b810253646056c2366b824aae40e8bef

SHA1
2d6e5e506f1adef14eac5bf1fad0f572af8c7292

SHA256
586c9d7219d3920a4f3b356f58c49909797a309b2ffa600b7b859f1f092e1c2e

SHA512
7811b0809374120a24edab497dbbce5a8957ccd4f6e6ffa1d0a90523447d6e0d8eda0bacfb0781cb04450f101719a52d5413fa7728e0cfcb63a5e146087c2cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa1a7a7ee1c2e816436aa742d2714359

SHA1
6bb378e83040412f759433ed381a60da1c929f8f

SHA256
b236ab7b3e15d87f831fa4b32e5cc77110d4c05191f6c99af7ec4a3d675792e5

SHA512
2eebfe165dd945d9e01c80afc5b5c1b63aeb08fbd880fb81d0611c191609bb9dc3d075f82b0f72f9d8d97ac630d3fa4b47f1104642ead22b79f40f886e7bfec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
434B

MD5
36834e0f97bfbf4ff1c4aeee28d7ce19

SHA1
cb692b77a035f3078fb3ae1779ae5de157516599

SHA256
9c9499cafd54215a5bfeafb8c1d0acb6e19f117ca578b3d8b6bf88ed9aa35254

SHA512
088e3f74da82e2a7f434005213da6374c1cd9a7128ed670d61830ac84a0352635216012f9c20f1820ffdc7df3a54f4f02d9f537d457db596178b5090aa14c275

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\additional_file0.tmp

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC18C.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_230319105655904664.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14FA.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC19E.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
77942ad4995e0d60ba9cd6bb1e57d2a5

SHA1
a2b6a5e0a4be873cbbcfcd76337244ccc4f5f7b6

SHA256
6f7826d544b5b82e639e374fdcf06b544451106cd0e796e1347c7972def94217

SHA512
5e714a7cf78c156cc38ce952d8c4b87d6afec1ace25f9c0a7453f8321cbbcbba0958d0e28e66b2c142dadbe2ef8ffac39479e9b62317fa38bc89f00fe2221f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG

Filesize
644B

MD5
b5aad713a58dad9ba81e57c60654727f

SHA1
e4235836ecf0b5f20673ecfd02e8ea6058474c80

SHA256
9565c84d9dbc68abde134446dcd335f11a26073b5ad47216449d2f0e96a150c4

SHA512
2ff2ea11eca3ffe7f34afad49d5c3b0c11a3ee0e16d158c1f0b0cf481598c4970ee47c0a234ca3f69ae603829f4945a5e6d3b5eb709910510cecb7934999e158

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG

Filesize
2KB

MD5
970cc701c3b2bb4b51152cee033a9c56

SHA1
d8ca55ca4df931de7b2d213befab66be8cd09270

SHA256
6b318a1bb1fed17c423e7ebdb00700fbed625f6302eb498ff66f67b6ddf064a9

SHA512
55a6bd0a09c29b9d643ed17186ac267154da71be0405a102b51581ecfe6e932dbca86694b43843f02dd25c3cc750346027c5e1fc5b4a455529a20cdec3c1ee20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG124.PNG

Filesize
40KB

MD5
10c772af771b4a66071baaed44524c13

SHA1
66fb98f63a96b7bf78ae05e6974002e33b963bb4

SHA256
2fcaed62302c7b6216d923dee9ac9b6dd2060597d88bf3557c582571e840266a

SHA512
bebfd45a0b2b5822139ccd8f83a90ef882a08883f01cfe9fd11c8f68632512f728df10778c2b003912951537be9141c949dc6ef1a8851598cceeab04a005f456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
04aab6c7b7826a2b6f51b650a7521a1f

SHA1
6d799f12a11ea635bbd9e416e8873dfdf54af57b

SHA256
4ba9621905723a3f00d1978ec65df8f0ca6366a62924fda94f7d25b031181777

SHA512
85758224ce7127ad9cef659184fa8bccc87e886270195ceeb6a6c229c2a1326bd201604c302bb959d35d72654097651c65f8c4a6963ffb4e97f75d2579fa74b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG

Filesize
1KB

MD5
47003171b0d1d426a4b0c243d6d61f33

SHA1
1aeb6d6b83cb899d26802f564b624551c53334b4

SHA256
d930264b51138a3c993aa7edf3c0285df49c8a30d66e41ef6e51a7a0343e3a89

SHA512
915630b307517cafd3c3709f2c0181f33d5105fbf0078dd3a1b3d7225c797d9a473f6a76fc8242639c1b5c15828e0625ea7b6ae3bf9d108f059a95a99e4fcb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
0a5ce0278bbd9bead2d6f375925d0539

SHA1
64dd04e97d2fdadcaeb4932a24849f6d51630e42

SHA256
c89f6cd8120e32f17040dcc56d49f8e8722dc504e53c549cc534093a20939fde

SHA512
a4b02168e6f850587e0db9d3236b4269a38a925d1ebe301f4755a19de4e945fc14d85707cb5dfaf672935843be5d777bdb7cc01a3fa95c99e9a64a7d835b664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

Filesize
43KB

MD5
9dfdde005d90036d0a51b97fdfa02e7f

SHA1
26a848e697ab4a5c0b5046822a8006eef209309d

SHA256
ec213c7a114335e8fcd8f69f4cede38ea39e42f13ff43ad1d078d78af1604063

SHA512
237cbfb2fa082ae7a071d429997e22e976df4dc62788d492ccd787549f4ad809d41917a1a17fb76f764a0860e1bd2b54911284cffaa94e940f021207f172266e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

Filesize
1KB

MD5
6cfda96c24d2884705c70312b63256ea

SHA1
d47dbd295745854e26328718e3d8655106408f31

SHA256
446944a836b0c53ae99b327412faa4aa03c213bc1984ed0d8542afe9b783bafd

SHA512
4a6419e4127cb1938df87ef6858dec800d2c557538127c45342463378f662a963d0ce3c073425a482b800fae9a0b9edbbdc1105b46c45158aaf86f8c999a17a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
108KB

MD5
aec508468d53ab8d55f5b4beb82c347d

SHA1
477d1ffb28834243f5811a4a2a54b4f0ca240120

SHA256
ebee84e34e221ad822486432333bad9e6357af2fb0d9651cc61c7fab8ec9b5bf

SHA512
26a0278af2a9e75ef966bc3f7f40d7669204c2004a043adaad102ef440caa6282e69372ca0c3c7d39a8450691d528c2dc77a4386bfb0c6e5a2a76c3fef900fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
9bac1c3617f2e5e2e819faf5302aac69

SHA1
0609ff01b56295037b855d3e6462d78d65110855

SHA256
0d3c4e24f203a7b779334c021ef8faa0f7ede4e7d6a9053b4e910e640585c115

SHA512
256a1c62b249d9e216fde40973fa47844c42590ee0be76644ea082bfa3715e07c6dec7d07bc00181106faa10c78b7384210652e90a46feccdbabdb591c541cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
16KB

MD5
6cd59f6618af3dd565556600034d928d

SHA1
af708a1cf2003b4cb477a4d4a3d3aa2136db7786

SHA256
b16abba9ccbb7101806273d3aa2d1bfd5caca10e1941ec15556e859695cacb8b

SHA512
fbfeafc3bb8c2317aee340fbafea143b417616caa242f2cec2a75126e2a28f77d68a010e0edc58779e44d4ab06ec964988e8f4b6a08ce3794120ac3718c84c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
602B

MD5
a0b4b31a9e7c9014df12feb35d966db2

SHA1
da1beb4e5fe5d6f09e51f3c31c2ffe3a1b63f414

SHA256
79f0fc68d6911026b12255d1ec67b72ed00c0dbbe6d50008540c5bf08173e956

SHA512
3f74a7499afb3257738f0ed919d461290d26c3be6b9c5cbae681ac321087ff321761c4e8ad6962b494b9d767d6539e1a166fd3709a8cb508b9473515a93f4a9a

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
6.3MB

MD5
f08d9bbc61cff8e8c3504524c3220bef

SHA1
b4268c667469620bb528c04eaa819d508159b398

SHA256
2c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb

SHA512
a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

Filesize
1KB

MD5
32e2b3ea6f5a27b51b804b03843c7ca6

SHA1
4e678b4d72f33bd4fa930401be3efd66fbf363d4

SHA256
8e968fbc253d37c52bf83d0e7726aee83fb8eddedf659731257e2f267347bce0

SHA512
575b036745df21bfcef772e6290e3a9e44845db6a28179fbb162d4a54618c8852a3014a138aba115482cb0d6a976f8c39cf921b02005a760a51c26fc8997bb43

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
91785fce056a122bac89a98f06af96df

SHA1
6b9744b90937444f7fc2c28fa5b1c222557fe4b5

SHA256
de9c89053f795767d014b40614a1fd38613ee4c04f2e7584c55c6c73870f7c0f

SHA512
f7adfb3122cb036889cd0e341e0a0c82240e0e0a407c7582e10ba5aaaf94deec190f85ed0dbdd258dfd62be0628bc5022c437eb361e7bab0289abb574f2358ce

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

Filesize
457B

MD5
926bef63745a4509526e65d5c60a73fd

SHA1
3bf538113194de549b25be80b53b0b1b8576769c

SHA256
b9e840be108b6b06c7f30d17785154980c0e7655ce27f0cb77637d2dcf0084dc

SHA512
9e3c2381a1d090b22af38f27093f1b8ed84800deb6ff91980cea08eb75209e596ba2dba6819d1f79b1619a23407cb12fce79eb7f0bb5d524dacc69809ba37278

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

Filesize
352B

MD5
850f59f4a5abe0d3485a148971134723

SHA1
719efe66cd784a6da7fa5b4d8c270f692a57de19

SHA256
e3fe5bff2b68bc5150b15e12b25067f21736e8a31ad45242abc947c783fffe2f

SHA512
64e47af80c3a775b6b1a77b70eef3c50da9244f9a99ce9aaa846b86afb736434b7f7b71e5ddd48344005f65a6fa6e84081fb6013cccf372b7eaf2f60fc67e67d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

Filesize
438B

MD5
916240d9971d1fc6bedc88010c7ae001

SHA1
8c4906879c6681a61ca52d2b5e459bcd81bea0f6

SHA256
9a0a9a4aa639381032dd8ac097866b19c559a53501d3c2452801e316f2695a31

SHA512
730cadf9eaf955e4629ebf893d2237b08ac528086ff72355596bd760cf15e41a84f7f3afae3b1b872537c437a6ea52b56fb770ecfd6848d6aa57d28525f8daa7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG46.PNG

Filesize
206B

MD5
bbb86d9285a2b5005038b3969064fd93

SHA1
411a1691260b98f7109ebdf8df4c076155055ca9

SHA256
967777f39c7353a35af2ab4c8df193c8e73d9cec03ff30973a6c628088900315

SHA512
b4dc7648dbee08841825e5a2bbdfa770fb8c1efcf0106ab25cd1c616339588d49f99f6fdbff5dce7e4fb39be6cd0a8ef6013b6ef143bea8789003ca87008ee6a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

Filesize
1KB

MD5
e8d56aaa5306ab8c1f98501c6620f59e

SHA1
1a9f5029689402ee039fefb8307d5f94db1727f4

SHA256
d1b4c9b95313d5ac7f85cec7bb986e7353e676b81c618883b7e74765a1f6f111

SHA512
17d90fb31123ab2308e50b3f2de3981e5fd84420731c94980c083f55804e7930a0ced82faebb7e44868e86ffd4da3538f6b3ec4188f92a4224e2546522b5a6a6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
1KB

MD5
9fddfa14072fabea18ae4a035d325e33

SHA1
e901005bc13111ea44f675bb1b38f270b085f9f7

SHA256
22df55a531ad1629836f44b5020f34b34d1ff07d38a63db43fd8ef2ec09feb6d

SHA512
745a5dee942089f8a5961ff88f21b72ec3af7fafbf6c6c75df057f5d11b14052d1bffe4dd391b5998fbaf0966a775eb4feb9069942fc4f6c84fee505999e3425

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

Filesize
41KB

MD5
c1bfe5f0b8b74dbbae017e6c8baddadb

SHA1
16adcc0516f19451cd1fb27e4c531696bddf8a85

SHA256
39a8365512688fd5517956b59fa83a8196d7ab01cdf043c8dbbe867e8dcf53b6

SHA512
4330a8cc84c014f8189a49a5b56aed36494c3c72550fb3aef70f6dc802fdb03385bdcee3e5c047ecbf334eb78afd24b1b5627a68a92b737c16a3e9ed3d8e30f5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

Filesize
1KB

MD5
09831aecec902670753033f352f4ed91

SHA1
bb3f73656912b398be336817e1af309f186b81d8

SHA256
fbf81419194d889dc3e3cd83cfd6077c88ff1f9f83097cb994daca90405e266c

SHA512
0a8d476f10d873d8206ea267b39ebb28ec6faf87f9991bec2dd57d1fdeb949b42196e7392991c83c2b3defcc7187bfdee00c24657501f2791367e6f48921e58b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
33KB

MD5
eecce65b508f0cb47a9a9cfcdef34873

SHA1
ced1227173c9f90bd40d2bfa13fab49d174f70be

SHA256
9606648196493b7c1ce81510dd12616d15e09c028bf84efa562b3a6873ef55b1

SHA512
26bd6fef2b8ff2ae2c65b6fe7213fbc13ea1ca3ac46e696836a0681d02b4fbf5cd0fbc4a5a3d69efebc5527d242f7eb0bbd9e0ea83bf800be61b6af4046ad0ea

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
6KB

MD5
4f7be9736242579cb8afa1af86980dfe

SHA1
1c486393847996db4f6b78532dd7bd9a0a924549

SHA256
9cecc28716f392d2394829f4cc3f307d08f5aecaf3e2124bdaaa0d6d9c3400b4

SHA512
4c55bc2698d8934713e791c015480248198e22efa66dd5ca79ea834b9835c9e85ca8c2869c9b40dc394ae7e27da039f79c392f88472dedc1adfa83dd1e94f1c9

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
f98f13b8087cdcb513205c395579c995

SHA1
c8f2ed85d27589338bca446fd40b5c162ef707a8

SHA256
b588ebf4f7faf484ca1b5ee94b8b0d4a90e0fb21a7c308d9822d501c36fb96e9

SHA512
766d282cad648062cbf10bdb5d49e1100e364f2179d9bb16e60166a96a8ede1b0fbdaaa524d0a0bbac26a0930e512dfbd0b8acaf4f4a87f0259aeb7df7640748

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
f98f13b8087cdcb513205c395579c995

SHA1
c8f2ed85d27589338bca446fd40b5c162ef707a8

SHA256
b588ebf4f7faf484ca1b5ee94b8b0d4a90e0fb21a7c308d9822d501c36fb96e9

SHA512
766d282cad648062cbf10bdb5d49e1100e364f2179d9bb16e60166a96a8ede1b0fbdaaa524d0a0bbac26a0930e512dfbd0b8acaf4f4a87f0259aeb7df7640748

Download Submit
C:\Windows\Installer\6db6c2.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSIEB6E.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191056581\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303191056543911920.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303191056555291156.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230319105655904664.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303191056589932588.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303191056595232684.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
771e04cbe88ca3d9dcba71d583c20800

SHA1
60b981afefc93524d16764631d78fb15a5e604d1

SHA256
40836ee064ef2c3c1f66c1ee903d6ee510e7350fe5050e346fb2580f22bbc7c5

SHA512
1b0e8e229a265a1843b508f75829c387cd41a827ea4bc5af289afdf7ef15d15be4e973f8960a82ea11beadadcb2fe05581c8ee7c496a2afdbd8d70bb17deb007

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7154985.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
5b635c392112feb43e2488647c41454f

SHA1
469a7bdafa9311d79bd6ac62f91640c54ad64e1a

SHA256
e31f308f656b2f3fb9f5f064954d6b06ffeb3611becf6de174e5654283542e94

SHA512
cefc136de676a73f09aa7acbad7dc0517083d0af0384b8a2010259cfeceb3f5fb1b84ad3cea7d48f56dd0824ab167f4f10ab5e8f7f8bf3c7c05b19168cae651f

Download Submit
memory/316-376-0x0000000002CD0000-0x00000000030B8000-memory.dmp

Filesize
3.9MB

Download
memory/316-69-0x0000000002CD0000-0x00000000030B8000-memory.dmp

Filesize
3.9MB

Download
memory/316-68-0x0000000002CD0000-0x00000000030B8000-memory.dmp

Filesize
3.9MB

Download
memory/664-1080-0x0000000000D30000-0x0000000001275000-memory.dmp

Filesize
5.3MB

Download
memory/1108-1022-0x0000000005670000-0x0000000005BB5000-memory.dmp

Filesize
5.3MB

Download
memory/1108-1246-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1108-933-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/1108-1624-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/1108-1623-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1108-970-0x0000000005670000-0x0000000005BB5000-memory.dmp

Filesize
5.3MB

Download
memory/1108-485-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1108-1615-0x0000000005670000-0x0000000005BB5000-memory.dmp

Filesize
5.3MB

Download
memory/1108-1021-0x0000000005670000-0x0000000005BB5000-memory.dmp

Filesize
5.3MB

Download
memory/1108-1004-0x0000000005670000-0x0000000005BB5000-memory.dmp

Filesize
5.3MB

Download
memory/1156-1248-0x0000000001070000-0x00000000015B5000-memory.dmp

Filesize
5.3MB

Download
memory/1760-369-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-368-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-448-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/1760-444-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-1613-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-440-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-1415-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-1416-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-249-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-1081-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-366-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-367-0x0000000000900000-0x0000000000903000-memory.dmp

Filesize
12KB

Download
memory/1760-1450-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-1458-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-385-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-386-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1760-387-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-1434-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/1804-476-0x0000000002E50000-0x0000000003238000-memory.dmp

Filesize
3.9MB

Download
memory/1804-477-0x0000000002E50000-0x0000000003238000-memory.dmp

Filesize
3.9MB

Download
memory/1804-1439-0x0000000002E50000-0x0000000003238000-memory.dmp

Filesize
3.9MB

Download
memory/1804-484-0x0000000002E50000-0x0000000003238000-memory.dmp

Filesize
3.9MB

Download
memory/1804-1437-0x0000000002E50000-0x0000000003238000-memory.dmp

Filesize
3.9MB

Download
memory/1920-1247-0x0000000002BD0000-0x0000000003115000-memory.dmp

Filesize
5.3MB

Download
memory/1920-1250-0x0000000004250000-0x0000000004795000-memory.dmp

Filesize
5.3MB

Download
memory/1920-1046-0x0000000001070000-0x00000000015B5000-memory.dmp

Filesize
5.3MB

Download
memory/1920-1249-0x0000000003B30000-0x0000000004075000-memory.dmp

Filesize
5.3MB

Download
memory/1920-1627-0x0000000002BD0000-0x0000000003115000-memory.dmp

Filesize
5.3MB

Download
memory/2588-1404-0x0000000002B80000-0x00000000030C5000-memory.dmp

Filesize
5.3MB

Download
memory/2588-1251-0x0000000001070000-0x00000000015B5000-memory.dmp

Filesize
5.3MB

Download
memory/2600-2020-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-2033-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-2021-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2600-2022-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2684-1405-0x0000000001070000-0x00000000015B5000-memory.dmp

Filesize
5.3MB

Download