bazarbackdoor | 78d84068b47cf28b76c88ba4474c7c187510f4e4e967d079d3761dcab7851655

Analysis

max time kernel
166s
max time network
996s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-03-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.876-Installer-1.0.7-global.exe
Size

22.6MB
MD5

e89a95bce6075955a4e1acdb6bb56561
SHA1

8b17013cbf2ea69d625d7bcb1e578933c13678fc
SHA256

78d84068b47cf28b76c88ba4474c7c187510f4e4e967d079d3761dcab7851655
SHA512

4ccb33f60c9292e12daa53b49524a36bbe1c1ca86d794b5134b8b954736a532e9f202123b39036c6a9c557e128bd8361e5c1cb86d40723cc00784026741d5e65
SSDEEP

393216:DXkoYB+UAVl/Pfs/dQETVlOBbpFEjdGphRqV56HpkvQFa2Vj4h2cU:D0oYB+3fHHExi73qqHpU2Vj4hE

Score

10^/10

bazarbackdoor adware backdoor discovery persistence spyware stealer upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7183378.tmp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7183378.tmp\jre-windows.exe	BazarBackdoorVar3
C:\Windows\Installer\6de61c.msi	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

44 1776 msiexec.exe
Downloads MZ/PE file

flow	pid	process
44	1776	msiexec.exe

Executes dropped EXE 23 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exejre-windows.exe_sfx.exejre-windows.exeassistant_installer.exeassistant_installer.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
1456	irsetup.exe
1760	BrowserInstaller.exe
1792	irsetup.exe
1092	opera-installer-bro.exe
1360	opera-installer-bro.exe
932	opera-installer-bro.exe
900	opera-installer-bro.exe
472	opera-installer-bro.exe
2760	jre-windows.exe
2844	_sfx.exe
2892	jre-windows.exe
2208	assistant_installer.exe
3008	assistant_installer.exe
2312	installer.exe
2572	bspatch.exe
2972	unpack200.exe
2852	unpack200.exe
2968	unpack200.exe
2348	unpack200.exe
2256	unpack200.exe
916	unpack200.exe
2084	unpack200.exe
2516	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.876-Installer-1.0.7-global.exeirsetup.exeBrowserInstaller.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exejre-windows.exeassistant_installer.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exe

pid	process
1944	TLauncher-2.876-Installer-1.0.7-global.exe
1944	TLauncher-2.876-Installer-1.0.7-global.exe
1944	TLauncher-2.876-Installer-1.0.7-global.exe
1944	TLauncher-2.876-Installer-1.0.7-global.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1760	BrowserInstaller.exe
1760	BrowserInstaller.exe
1760	BrowserInstaller.exe
1760	BrowserInstaller.exe
1792	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
1092	opera-installer-bro.exe
1092	opera-installer-bro.exe
1360	opera-installer-bro.exe
1092	opera-installer-bro.exe
932	opera-installer-bro.exe
1092	opera-installer-bro.exe
900	opera-installer-bro.exe
900	opera-installer-bro.exe
472	opera-installer-bro.exe
1092	opera-installer-bro.exe
1092	opera-installer-bro.exe
1456	irsetup.exe
1092	opera-installer-bro.exe
2760	jre-windows.exe
1092	opera-installer-bro.exe
2208	assistant_installer.exe
1228
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
1776	msiexec.exe
2572	bspatch.exe
2572	bspatch.exe
2572	bspatch.exe
2312	installer.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe
2972	unpack200.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0119-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0215-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0339-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0084-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0184-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0274-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0199-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0074-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0113-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0119-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0223-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0267-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0138-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1456-172-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/1456-367-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/1456-384-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/1456-422-0x0000000001090000-0x0000000001478000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1792-489-0x0000000000390000-0x0000000000778000-memory.dmp	upx
behavioral1/memory/1456-502-0x0000000001090000-0x0000000001478000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
behavioral1/memory/1792-567-0x0000000000390000-0x0000000000778000-memory.dmp	upx
behavioral1/memory/1092-571-0x0000000000970000-0x0000000000EB5000-memory.dmp	upx
behavioral1/memory/1360-591-0x0000000000970000-0x0000000000EB5000-memory.dmp	upx
behavioral1/memory/932-601-0x0000000001380000-0x00000000018C5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/900-608-0x0000000000970000-0x0000000000EB5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1456-635-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/472-762-0x0000000000970000-0x0000000000EB5000-memory.dmp	upx
behavioral1/memory/1456-1417-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/1456-1539-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/1792-1616-0x0000000000390000-0x0000000000778000-memory.dmp	upx
behavioral1/memory/1456-1623-0x0000000001090000-0x0000000001478000-memory.dmp	upx
behavioral1/memory/2572-2009-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2572-2029-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeopera-installer-bro.exeopera-installer-bro.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe

Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\dom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\charsets.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\localedata.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-namedpipe-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-memory-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\orbd.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xerces.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\jpeg_fx.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-sysinfo-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-process-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\flavormap.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\rt.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-console-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\colorimaging.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-processenvironment-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\fxplugins.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\webkit.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\amd64\jvm.cfg	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\public_suffix_list.dat	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-console-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\pkcs11cryptotoken.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\6de620.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6de61c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B5.tmp	msiexec.exe
File created	C:\Windows\Installer\6de61e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF70.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13E4.tmp	msiexec.exe
File created	C:\Windows\Installer\6de61c.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exejre-windows.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0165-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_165"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0292-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0307-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0328-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0115-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_36"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_42"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0210-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0291-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0332-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0240-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0244-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_256"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0282-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_45"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0312-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0125-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0136-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_48"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0275-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0302-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_04"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_162"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0102-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0157-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0164-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0153-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_153"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0304-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_55"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_04"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlps	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0125-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_125"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0300-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_56"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_145"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_68"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_05"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_85"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0258-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_171"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0307-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_28"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_172"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0209-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_209"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0182-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0124-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0201-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0129-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_90"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exeopera-installer-bro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-windows.exe

pid process

2892 jre-windows.exe

pid	process
2892	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2892	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2892	jre-windows.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeCreateTokenPrivilege	2892	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2892	jre-windows.exe
Token: SeLockMemoryPrivilege	2892	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2892	jre-windows.exe
Token: SeMachineAccountPrivilege	2892	jre-windows.exe
Token: SeTcbPrivilege	2892	jre-windows.exe
Token: SeSecurityPrivilege	2892	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2892	jre-windows.exe
Token: SeLoadDriverPrivilege	2892	jre-windows.exe
Token: SeSystemProfilePrivilege	2892	jre-windows.exe
Token: SeSystemtimePrivilege	2892	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2892	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2892	jre-windows.exe
Token: SeCreatePagefilePrivilege	2892	jre-windows.exe
Token: SeCreatePermanentPrivilege	2892	jre-windows.exe
Token: SeBackupPrivilege	2892	jre-windows.exe
Token: SeRestorePrivilege	2892	jre-windows.exe
Token: SeShutdownPrivilege	2892	jre-windows.exe
Token: SeDebugPrivilege	2892	jre-windows.exe
Token: SeAuditPrivilege	2892	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2892	jre-windows.exe
Token: SeChangeNotifyPrivilege	2892	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2892	jre-windows.exe
Token: SeUndockPrivilege	2892	jre-windows.exe
Token: SeSyncAgentPrivilege	2892	jre-windows.exe
Token: SeEnableDelegationPrivilege	2892	jre-windows.exe
Token: SeManageVolumePrivilege	2892	jre-windows.exe
Token: SeImpersonatePrivilege	2892	jre-windows.exe
Token: SeCreateGlobalPrivilege	2892	jre-windows.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exe

pid	process
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1456	irsetup.exe
1792	irsetup.exe
1792	irsetup.exe
2892	jre-windows.exe
2892	jre-windows.exe
2892	jre-windows.exe
2892	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.876-Installer-1.0.7-global.exeirsetup.exeBrowserInstaller.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exe

description	pid	process	target process
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1944 wrote to memory of 1456	1944	TLauncher-2.876-Installer-1.0.7-global.exe	irsetup.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1456 wrote to memory of 1760	1456	irsetup.exe	BrowserInstaller.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1760 wrote to memory of 1792	1760	BrowserInstaller.exe	irsetup.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1792 wrote to memory of 1092	1792	irsetup.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 1360	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 932	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 1092 wrote to memory of 900	1092	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 900 wrote to memory of 472	900	opera-installer-bro.exe	opera-installer-bro.exe
PID 1456 wrote to memory of 2760	1456	irsetup.exe	jre-windows.exe
PID 1456 wrote to memory of 2760	1456	irsetup.exe	jre-windows.exe
PID 1456 wrote to memory of 2760	1456	irsetup.exe	jre-windows.exe
PID 1456 wrote to memory of 2760	1456	irsetup.exe	jre-windows.exe
PID 1092 wrote to memory of 2844	1092	opera-installer-bro.exe	_sfx.exe
PID 1092 wrote to memory of 2844	1092	opera-installer-bro.exe	_sfx.exe
PID 1092 wrote to memory of 2844	1092	opera-installer-bro.exe	_sfx.exe
PID 1092 wrote to memory of 2844	1092	opera-installer-bro.exe	_sfx.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe" "__IRCT:3" "__IRTSS:23645635" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816338 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1840798" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.80 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x718824a8,0x718824b8,0x718824c4
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:932
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1092 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230319191146" --session-guid=54d1da6d-7905-4329-8549-b7539aa237ac --server-tracking-blob=OGE3OWM2ZTMyNmNhYWU3OWU1NmEyNjE0MWY1MTI0OWE5ZDZiNDAxOThhMjJiODcxMDc5ZWZiZTg0N2MyOGU0OTp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjciLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjc5MjQ5NTAwLjc3NTkiLCJ1c2VyYWdlbnQiOiJTZXR1cCBGYWN0b3J5IDkuMCIsInV0bSI6eyJjYW1wYWlnbiI6Ik9wZXJhRGVza3RvcCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik1TVEwifSwidXVpZCI6ImYyOTFiOGY0LTYyOWQtNDg2OS1hYzQxLTI1Y2FmNDk2YWRhYSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1003000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\_sfx.exe"
        6⤵
        Executes dropped EXE
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2208
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\jds7183378.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7183378.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2892

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.80 --initial-client-data=0x1b0,0x1b4,0x1b8,0x178,0x1bc,0x70de24a8,0x70de24b8,0x70de24c4
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.50 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0xa66c28,0xa66c38,0xa66c44
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1776
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B74943C718B2FC7685126EBBDFD99691
  2⤵
  - Loads dropped DLL
  PID:2916
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2312
- - C:\ProgramData\Oracle\Java\installcache_x64\7218837.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2572
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2972
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:2968
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2348
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:2084
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:2556
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:2752
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:612
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:2332
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:2412
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 32C203D746DB9E54C973E871DCCCDDCF M Global\MSI0000
  2⤵
  PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a19758,0x7fef5a19768,0x7fef5a19778
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1300 --field-trial-handle=980,i,647079678092498085,16684496494492795554,131072 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=980,i,647079678092498085,16684496494492795554,131072 /prefetch:2
  2⤵
  PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5a19758,0x7fef5a19768,0x7fef5a19778
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:2
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=664 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1020 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:2
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1692 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2656 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3232 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3684 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3692 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1380 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2768 --field-trial-handle=1392,i,2101905636073533460,495224253697746797,131072 /prefetch:8
  2⤵
  PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a19758,0x7fef5a19768,0x7fef5a19778
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 --field-trial-handle=1200,i,14315218456676183508,9513826086345696498,131072 /prefetch:2
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1420 --field-trial-handle=1200,i,14315218456676183508,9513826086345696498,131072 /prefetch:8
  2⤵
  PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a19758,0x7fef5a19768,0x7fef5a19778
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1164,i,6845832363776769319,102526453003872135,131072 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1164,i,6845832363776769319,102526453003872135,131072 /prefetch:8
  2⤵
  PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a19758,0x7fef5a19768,0x7fef5a19778
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1260 --field-trial-handle=1400,i,10820169088564671703,7743833336752024565,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1400,i,10820169088564671703,7743833336752024565,131072 /prefetch:2
  2⤵
  PID:2960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6de61f.rbs

Filesize
925KB

MD5
1087e2084423d964b4f2c17f871b547e

SHA1
31c3660dd3ae9fe3451266151d3b47ab6e0bd542

SHA256
da12828faa0110613a417bc253cd9b102ed2fe5106fab89f18641264f0d9eb0d

SHA512
51769bd84e76d9bb460b4e61e24550d00de703f10f95dfe8b093a676c8c933378abc510ac4e4f3bfdd3cadff934434e54c0feb1483e94785a5a65d39798bb323

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll

Filesize
1.8MB

MD5
ff91ac355dc6b1df63795886125bccf8

SHA1
90979fc6ea3a89031598d2146bf5cdbbb6db6b77

SHA256
14b30467cfea0071dffc658dd31b8a25b7b4e79608933f171911c2cba6aa9a0a

SHA512
77aa8c7930730004bdb8d49a82712e1042db978102f6eca0d38317b6fd98ef03e52279130eadc7a0da1148e759db6589f7f8334d4c2eccfb2613e8f19542e197

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe

Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe

Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
182B

MD5
7fadb9e200dbbd992058cefa41212796

SHA1
e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4

SHA256
b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b

SHA512
94b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
b810253646056c2366b824aae40e8bef

SHA1
2d6e5e506f1adef14eac5bf1fad0f572af8c7292

SHA256
586c9d7219d3920a4f3b356f58c49909797a309b2ffa600b7b859f1f092e1c2e

SHA512
7811b0809374120a24edab497dbbce5a8957ccd4f6e6ffa1d0a90523447d6e0d8eda0bacfb0781cb04450f101719a52d5413fa7728e0cfcb63a5e146087c2cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
339beefc06d052b449cc2be2f53a43a2

SHA1
b1595cda3813f4ea4806516bce78619eafd71a17

SHA256
dfc8c4038020f5b9f4a087844603f27c7d2a8b811cf08b6d3f7867c79d2d58e5

SHA512
dca9fbd9cb0487b2efe0855fd99a09046b30f7dd413cf3f2312c0aa896f1f0cd8e9414874d060ef3cd175da26e210b7b1b7cb5167bc77eea208651949407f4c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
434B

MD5
b83d0d3c45020d6d439edfda0deed810

SHA1
5d61cc8323c039035c7b3d72c006ef8b5e475c8c

SHA256
641e2879305d469e08cc1fbaf455f80b90f71eab5f63fc1db1ab2bd13e31148a

SHA512
1f0c0e800df17551370559fe428e59462e0dbd61bef4028d9abf84b0e079ad3280ddf5f3e6a5f0158750c083bee74c6bea44467283af0e277ac6f5101eb07e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5b7569ce-86c5-470d-9ca2-f283cb4e439e.tmp

Filesize
71KB

MD5
fe9a596a499660ed59aa2cacd2bb4287

SHA1
48b8595b885cc91653e7274c2ba7283b000d07f0

SHA256
43ba59e90b740f375d56288b5183a1e011bc51a228f9ba42d217f9a0268eafdd

SHA512
93c880ab0bf566d4d4e4c4eff00b2002e9d6a9e4c3bccf003336cd3ffd929447bc017386f751a25d1e57b32cd62957fe351bfb7144a3ae5c61ffe0070bc7c266

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d33b61c2fc1dd881d02d27617d77b65e

SHA1
5a3f6949857e1787a99c912577346ff6000fedd2

SHA256
983865fa820512337344a27d32709dbd2cbea157fe5b9ed8a7f29c8875013f59

SHA512
8ecfa11596f65b25ac4838aaa6aacb5468488fd1345c269b19c37c265d29adcb4b42da5555c0c1518a6b720868ecd4d2acd26872d601ab92693a433fae15592c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
72931c3d3c56e5abef22975629b77c0c

SHA1
80b011fc5344868d61c7b5560cbf48c0e5d1cdb0

SHA256
751d998d1b123a834a3bb3f2d5f6d4c7e153ab9d0f2f149b133bffe201d24c8f

SHA512
6a7af9a610e322728da513053f59ea002ba82bb2a4e49fa17a1038429f7d4defc1a1c430e246d02733733dd27db29563cbbbad9a22a0af6f53fb208067c3db3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF79ca52.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a2acdb7fa73868f1af90d9cc2c375dbc

SHA1
9f38e9f3fca6dfe6974e7dcf6d45de0dc31ff6d2

SHA256
32e7d9b57f4493a3901f38ffbc8dcf30a47e657ac736261f44250275acf44818

SHA512
d80d7185c6d63efc17936950482b92dc75ec96555fcbdec7d4e3de2f426147623d5c77099bde300839eee576afe167969a2abf9ff1a391edec6da58931b8782d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State~RF7a3ad0.TMP

Filesize
1KB

MD5
71595708108137ecbc1e14bf0bbb68c7

SHA1
d0e29a7a824e791e90998dd6e545cfbe27982d13

SHA256
50c8bdcc756d407619837f488874e0372371ecdadfd5847ba58c1f665dff0e02

SHA512
e1126158293ad05c050cdf4b1af591abb34413fac1af851038110e8f036c07c10ca8d8b32b8f86dd2ce444f74fc704ddab424e1b441cd3c80f197b0081765b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
278554f0d4a3e01742d323ec22a24fb2

SHA1
faa64860ed3fed3f741f1b988ae5f8c7e4f2a9ff

SHA256
da418c8eee20b4e05f6b9ef2c713ac8392ae5a1dd5ef76c42cf12d823fc8fc5e

SHA512
5866f190cd22d04d85268f62eed555f51070d6af68072ef7e2fe86e124d4085802ec7d4a4fc555455bf79d4b0368a77f4c347919622f305b3b35c960fb39c1d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
683ddd689de3736047537ebb1f24f865

SHA1
66365c25fa09877b724e39aa6c7c1b99563c6ac3

SHA256
9b7749a57e12736ce771164fd4dbf1f4f83d4b23bc206f6a0a06e5a86a713703

SHA512
298677268680fedabd80f3aa6a3c80625a6657b83c73b7d66726b0392ade5a238a8e0016abcffb73057239ac073b18341d2c6abd55ac4e2a9c70074b83bfdf3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF75ed8b.TMP

Filesize
4KB

MD5
792f2044c1a0af9cdee0c42a36613477

SHA1
f1e10a28cd6d38b255ce4a39b2fd2b8e8052efd8

SHA256
3a723fdbbb6c51c0588b2a5846ba96b0a7ce35dcbfad7a261d5229fa76e64713

SHA512
33acfb4dfa93941dd50d436f253292734c1e83e29217867bb2f33780da9b982d4ea2c3add576d27461ae9071dc2155d7d21cd519b9bf537d6ef0b5421dded21f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF761c1a.TMP

Filesize
4KB

MD5
37c9e0dab01485279c7b1892d8263790

SHA1
ffe2b7128887b3aa2b5426913f99fc0186432532

SHA256
bd649b243cf8cb442c3a2fbf4d8b9c77d097cf7e60f987b2af1577b342d4a183

SHA512
07a0a909abe6b1b830e83fadb4f3497397a33606018685176adc815645f511e8e877c8dd7afb484b7b59d961e53c36e0e9e35354bff66ad458041e9d15119150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RF7382d7.TMP

Filesize
71KB

MD5
512257dd7b9639175ed65ae14329323a

SHA1
4e7ad722c157638329c7ce02d9263c1954fd4461

SHA256
b30d1223cc78bd4bcb76ef9a5c6337767d813872c2f9e86e708cdb4c99d42dda

SHA512
63924059e0502d7ffe3666cc5aea757b333b32473d53a9ed5fdb795a687986e7293ba6a5ff50fd457c42bae8024a87398cd5393caa2956625b47b473e9580d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b6c42720-8c76-4f54-9cdc-ac32c09e0e94.tmp

Filesize
71KB

MD5
76d0562043ddf013efc5f47f60a7f133

SHA1
9c63bd7267cc589d74b9a65a371c58a1f6148431

SHA256
82f5c9f489281357d66c32e826a65158905379b7eadad74d6f63b2ae3ee39f56

SHA512
5b1395dee60313a76d15f53c624593dbd8d460ac2bf1bad588841e24f45fe6ed406bab49da5ba54da28b04793796bd781e415fefd945a32e197e33b08bd13343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ff002def-9e6a-45b6-b25e-14381e5504df.tmp

Filesize
71KB

MD5
d98ebb36e86ef0a22d072c6ec5a5c1b7

SHA1
7f993b3d0c53f60d6ae10af178b883ae61eee833

SHA256
e3ad5e8c191f2adce1bcdf1f6c498cf8e6363d105cd7681329cf7a1479017ee4

SHA512
77b9cb2c15165f706a85062e75930104dfe15f373dd5014c6680dbdb9e730d40b048aab2f4f1a4ae3ffef9f46513107a257a5e3d48ee7fe25bd231498689a8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\additional_file0.tmp

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab257C.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_230319191143149932.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar59F7.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F18.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
bbdf2e8c0262e7e606d41ddbe5a3cd12

SHA1
acbb25f729af14b692ec9c8187a23b1a696f8e47

SHA256
d7c76896d206d977739556ad2d5811f7cf3117252afcd439a5aa0f2b645f6949

SHA512
0334fae3682889adbc18594b7917d8c93252a86bc04d08efc6860d5714ba4eb8aabc39c51e532c4aee57a938021540d2f2899781d9cd1de311036e1850a65067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG

Filesize
644B

MD5
38c12e1a54f8fd216ed3f13b36798cc6

SHA1
ccf1fe585d3374ebce4c1ec025e2d8ec39968a7c

SHA256
608924ba294590b5b706658d9aaa71b480ad9aa1b6797bbc5cf1632ac6c616b1

SHA512
0918af63f006d7fa04a3faeeb813e61c060316a126c4742a948a30f5b6ea368c3b8592011319dad3dbf8427dfcc095aa72f7b651d6fc31061f861f070447331b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG

Filesize
2KB

MD5
03b1d78771eb279766efb2d9f2fa8463

SHA1
8f10e304fd65e58136ccd6ab012ffc594e6fb707

SHA256
eec16d2cb57e38b485b6a269e9c2554c1dfc3b70dec9f7bbddc2b62526b3d832

SHA512
ca51cbaf20e6f62eb6ec69555d259ef61828d3166d09106bcd335dd417ed30660af71e7fd8db6bd22bf134cc530e1a55ecdd2c307e64e8edb28af95299d66f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
5a7901f7df307fba45b1c377f2c94ccc

SHA1
d6630cf733033cdfbda7af3213d49b32f5b06919

SHA256
d8471d5a5b4792c4b49e80b5cb22ef1e938dc3069b210646704f658548d7a9f8

SHA512
fc0036a7ed4b53edd72b91c4824919e6e8a82b5be1e82cdc134e267ef4792424124fb6ba5d7c86cf686910da0baba8453d7a6c12b39a5b4c0cb70658580f3bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG

Filesize
1KB

MD5
46a65321aa1fce57d465c26e8b6eb392

SHA1
9efb9a3acd5b32556ea66398c74b014f91087559

SHA256
61df7a1f0367209668d4f0f6a285b8baff864d1341d382ebbc7fd4e71036b666

SHA512
094d69016f066ae835c71d7a950217b9ad09e8cd4d74131787203cae950e572c18213dc1ded139b1fa46c7f803cc15bf4f596c9d51aefe0d43850ae2865f3707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
05d7bba3d6ac92766c4495b8928202a6

SHA1
50b65a8ba5ed2633e43929ee4bd58c95a91a3363

SHA256
4804f3c4fae714657fdb85e98244828acc6ac938505c2da1ed694ae7b58f2949

SHA512
1544d5cd6f85aaeeacd26f2deb9da9eb510226b41079ee78c4dede14386e5ea3446efdfd475bfbfa3a6846fa2ff23d64f4dad3a4ddd304e32de80e4d7bcbc600

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

Filesize
43KB

MD5
667b0b54ee5ba0d1cb66190226596e46

SHA1
b8658b35e7cf44b24053e4d01d3b51233d6526f6

SHA256
3a9ab8c3640f1b40b33553d7d3dd3d15bd6e702ef510ec0b66a2f14aa744bf83

SHA512
9ccc773214a0074634be66801d81d7a593ab154351fdbd1b93f56ffa80cf824ee31ff2e13f26536d5f3096e90df43fa223080b4dc55340614b076c08ef976dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

Filesize
1KB

MD5
5bc85d12eb492baa3be9230f1fbdc342

SHA1
456fe4284fa916ad3817e7c3d419c13f4c949737

SHA256
9a27f240758513aa1cc05500171fe22fdb3a485781cba4798cefc29f6944373c

SHA512
3d55c597ac29d7f810980dfd89404d3ecbd2e652ae1bc5e6710668ad5386a0caecf3149289df13f6dabed6b2e4305a26684ab3bd21b255b37f8a596fe8d641b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
108KB

MD5
aec508468d53ab8d55f5b4beb82c347d

SHA1
477d1ffb28834243f5811a4a2a54b4f0ca240120

SHA256
ebee84e34e221ad822486432333bad9e6357af2fb0d9651cc61c7fab8ec9b5bf

SHA512
26a0278af2a9e75ef966bc3f7f40d7669204c2004a043adaad102ef440caa6282e69372ca0c3c7d39a8450691d528c2dc77a4386bfb0c6e5a2a76c3fef900fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7183378.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
5777b711677fd0ff99cbd234c26f9808

SHA1
44502a761685cebc57a3dbb9d8e1deb119614ede

SHA256
2353cbb89bb5c4594792f51a4e146effc75fc74cbb045f066242a173b5429c2d

SHA512
ceb1a06d20c80e3e0474298daffb3650ad116c6ac89458d0d95d36071d97c43d38325709ccc133e89aaaa89a0d75d3e6987445e0f10ac5ab5b3990a3ee1c9860

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
5777b711677fd0ff99cbd234c26f9808

SHA1
44502a761685cebc57a3dbb9d8e1deb119614ede

SHA256
2353cbb89bb5c4594792f51a4e146effc75fc74cbb045f066242a173b5429c2d

SHA512
ceb1a06d20c80e3e0474298daffb3650ad116c6ac89458d0d95d36071d97c43d38325709ccc133e89aaaa89a0d75d3e6987445e0f10ac5ab5b3990a3ee1c9860

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
12KB

MD5
b21525eae10dec4ad4945551fb903535

SHA1
12f237e078acf7027bf4e380b824472ebb772004

SHA256
3319b9d016d28677a635e5ac078d5d21a32d614416f1c7ea7da7429c32c54cf9

SHA512
76a3c4d88789ae6d11350c93af1161d624c2483746161abbc720651d0e930086345aa12907e117aace8ec177c002d86fcf786c7468fe095715a487465d6a53d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
602B

MD5
769a15ff9b8da38993f9cf3440b21e7c

SHA1
63ea1d4551de93d98fb342a50fef0078cd13e622

SHA256
2de6d9affccb809e81f5747a0e199bbe0e6aaa5174c82a21e801a58e557c3d7f

SHA512
c689175106aad6c65bf6f051561adeddcd3c7ab10da3a0d0a66f9d93aac873cb618db362872d16fde142a049c1cd96551519d62df121bd7956d22ff40f087d80

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
6.3MB

MD5
f08d9bbc61cff8e8c3504524c3220bef

SHA1
b4268c667469620bb528c04eaa819d508159b398

SHA256
2c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb

SHA512
a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

Filesize
1KB

MD5
fa8aa84ef4bf0de505f6e3447d4b55b3

SHA1
b99654dfa5f6c56857b4f4102af2d27503bcdc74

SHA256
f3b7e85e8e5e41496fb563816fbf79e6640feb1591bd5e0c0b876d80053ad913

SHA512
b3a7d0d5abe554301b8745bd738662d80e439fba8df6f984cc05151ec8c081a61f0538765653e8587b431cdc97d384ee35d17ab3324c06a2ca40a069e1525ba6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
2799f9daca46770a871ce1b5eed32e7c

SHA1
a2792f571210a7f38cdbe49391017300ee7b1ce4

SHA256
fc22676f5b6cdae17b78ddfd16bb070687516fbc827a7edd0541f3a32d85c9e9

SHA512
c41f2e4c4ca59d6f9d11fac11296ab87f1b508b5d64e5db7762f2f6dd387aa96206b2b0fa127f17c0b8c24a0b56e81af12d5937474a450222d9c4416c1acb16a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

Filesize
457B

MD5
ce17d7ce06488f394ce124f17d5acafc

SHA1
8a5dceae9ea369b686123c8f940bb0ea07870ffa

SHA256
c4b04568930f03979d71f48a57b9ad06b4cdf687272f6753ff662006e8e6237f

SHA512
c33f1370213cabd1b84c936f1ac14f9bcc83bc03a633bbe25efe1e906bcee515d0e615c86b7ee3b34404dd1d95ce74d1a00908de8cdacbf9961de3f1ceb8362b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

Filesize
352B

MD5
1f5c8939031a7f93762862cfc88a8e56

SHA1
6dc4df87344db0ddf09c777e7a80d1b5661559b8

SHA256
14be26e969eb15ef7e76e0ad02d8aa0516c5391e8b09dba0a9a6c5f57ae24aba

SHA512
de45d700c86329c704777917863fd1ddeca90d2bed67a72794164882bf15725ce83c7733f664ee0a2af7df54a6be2def729d19237fb2c434115396ac126ff47f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

Filesize
438B

MD5
09229c3bfb801177839a7c2e22e33a1b

SHA1
f679c05c4c7b2f3722069420c6d6481fc856e7aa

SHA256
cbf81d779b469942613297a3ca6c09d885e3b1d4aa952dc1994a7175fbfc7e3f

SHA512
503bfa063b29dda95f15da303f707e5b78a6bdb74662c222d8a8b7e3a33264016a66acdd9de44aea932e7cde80a43c2406ea6f0250d3df8e182217bc4a0a7ed7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG46.PNG

Filesize
206B

MD5
d8a095202e08fa1ac2578982e9a486db

SHA1
397ffc8af43ac18466b8df245b4faa6b278659e6

SHA256
28fed2b9a3cbde34da4b6b5d1af2d2844437d21f6dec85b3ca2faa5cd3b512e5

SHA512
ac751386a0004e335f4e5f4ea24bf6a474478c8a7ca54d018734e7cd44b8e9a0eb262b00fe1219b1c62c96b018b08ba6b1056d3a13e64b55c7e70d748a6ae9c6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

Filesize
1KB

MD5
59d6f22fdc11d6b116b38193ed5f4b97

SHA1
cddc7eb2110b3179dd6d1e32b4b37f3568a22ebf

SHA256
782cafea76d24d76885d88ee1302e5f78d75a4e335529dc20ad476fdb9e34744

SHA512
5b0fab5139736d30a69c98ea88d95a5c70f59aab1b82394c58b33617b824447b861a6e6067b62dd1ca1812a4989937e06ad473c6c94376af957871e9e63553fa

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
1KB

MD5
3094925a8de871bcc72ae50882d2a6f7

SHA1
9f7894bc4b2a498ad20b14b2b3cac175bf4d7a9f

SHA256
523e7230db0c47a436abbc442db93e41b6f549b32da6c2a10db7a18228491216

SHA512
bf2349354321397652d834507aae4c32885273209d1409b796170292e37ebf35878e2934d3f53545e66724561e646cc660f952e0bb5006cd7a262a790b64e39e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

Filesize
41KB

MD5
1557c08e187b7783083e0b80051fd321

SHA1
2c6ee47799d713e88fd589609b81912a4522044e

SHA256
0c0e74dd07c45833a5dd7ba931e5d528eb16334defdd06171df2f632d6e47842

SHA512
485f69b3878b2bd7fdf52ad020dde2cbc34dd1970aaa4e5eb8f8618f6091b5b827b428447859499c3d61ea9cde2edcbb97c8fb0560cd0aaff50027c0f97ee6f3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

Filesize
1KB

MD5
5eecdc666e6dc0b8e5e8d2fc3b9cc1b2

SHA1
72a16d461bd2410d5749c6bf939a127683d83a95

SHA256
052f0289886f9cc0931d7026dfe1f5253ad39123479627e37afa5c430e8f8ff1

SHA512
5d465d2c61d97ec2a52db3aeee8d42ececdef08930692842f9c6a41b0611cb774015d369e4fe5186079e97839acc78e8403ea6a6c33ee54a7aef3eea41c3d7db

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
33KB

MD5
3769d802d0cc4b6a85eca87a7f8ce5c0

SHA1
2edb6f2ce3284b95d0a4b6becc24acadd0027d6e

SHA256
7604308cff1157828f09bd1bedf7dfb4e59591ca39aaa08c7f28b1450b0d1b77

SHA512
04ad0d82ea505a6d291f74319f44a2408c3561aa4cc1bb96611616457763cf371004bffead29f3fd068d84194dcefb3c6905c4e7fb401b4a537b17c45e635f91

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
8KB

MD5
dc70dbc69935e787f641c5d1319d31a4

SHA1
fde179e72db4833eb24703c2d0bc450c992d506b

SHA256
460526bcbba18498f002abf061c2f20ca386ab08aca251fdfa45ed2cab955900

SHA512
0504571f31ebd9f238bd9c6617a38f7a86056b5da9c897b4ec79429ae38ba17639550afb2ca8d29b5c681ab599bc878c81bd14ff4b2346f0bea2c67bf3a02220

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c47fbbb3c0d401941ba9b6ab1a5eb035

SHA1
24ba1613cf3c389f31ac968b05dd5aeff04ff29f

SHA256
3b6eed22fd843f9a7e451db985be90fec8722e050e4a81860682b9d21c9c19bf

SHA512
e1fb2acc1932a6b2bba80f5d6b875dcd0f0c8702f39c91fc960fbcc0973e3c9111292242d64819ae549258f5bee6839a8fa57921e164e24c8ea60c672a9192bd

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c47fbbb3c0d401941ba9b6ab1a5eb035

SHA1
24ba1613cf3c389f31ac968b05dd5aeff04ff29f

SHA256
3b6eed22fd843f9a7e451db985be90fec8722e050e4a81860682b9d21c9c19bf

SHA512
e1fb2acc1932a6b2bba80f5d6b875dcd0f0c8702f39c91fc960fbcc0973e3c9111292242d64819ae549258f5bee6839a8fa57921e164e24c8ea60c672a9192bd

Download Submit
C:\Windows\Installer\6de61c.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSI13E4.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303191911461\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
52e46b1adf9cd40428b41755df527bd4

SHA1
5f0bb9c9c14208851beb5c93d9268c16ab39dc07

SHA256
a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13

SHA512
813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303191911422441092.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303191911425401360.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230319191143149932.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230319191146752900.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230319191147205472.dll

Filesize
4.6MB

MD5
927a01657c6bee50ca093ffcfdc9134a

SHA1
f7e484a777affe3c6227a2be0a6560111e1be8f9

SHA256
b1012ab0e2e6a363372a14b480b4c8275c013e66c94adfb8857e523899350cc9

SHA512
718c25b4e95948b728fe7eda6c5953bc0246dc5730ba99a71c3963ebcffda58b1759bf2554fca297d1590d8768d50e0fd9c39bdf790f4d372bc4aa255bfb5db7

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
111dddf2f308abc2a8f7555d5f642751

SHA1
11e6cdccbf29a71a97011b9444cf20c83ad8b57b

SHA256
c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0

SHA512
11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
5027f3112ac2d6f764769102a9145c8e

SHA1
a369a0e1d4ace1a8d66908aa43543bea03c76f5b

SHA256
d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c

SHA512
181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7183378.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
2be50a041d91f81bad63915b5dda99dd

SHA1
a3fb54e63c980f942c943a72464e273a155ee1bf

SHA256
eea216cfa94db46f800d615b76c459297696003b58caf76b2fa2292f35d4f82d

SHA512
819fe2d04b9edcc177cb3fb0f69c7153f53a84778fc6444d983ec7b676611c326a1b42316be20738cf94ef8632321aabca16d6d2e6d165bf15b419ff866fe766

Download Submit
memory/472-762-0x0000000000970000-0x0000000000EB5000-memory.dmp

Filesize
5.3MB

Download
memory/900-1615-0x0000000002960000-0x0000000002EA5000-memory.dmp

Filesize
5.3MB

Download
memory/900-608-0x0000000000970000-0x0000000000EB5000-memory.dmp

Filesize
5.3MB

Download
memory/900-758-0x0000000002960000-0x0000000002EA5000-memory.dmp

Filesize
5.3MB

Download
memory/932-601-0x0000000001380000-0x00000000018C5000-memory.dmp

Filesize
5.3MB

Download
memory/932-1498-0x0000000001380000-0x00000000018C5000-memory.dmp

Filesize
5.3MB

Download
memory/1092-1614-0x0000000003F20000-0x0000000004465000-memory.dmp

Filesize
5.3MB

Download
memory/1092-578-0x0000000002B60000-0x00000000030A5000-memory.dmp

Filesize
5.3MB

Download
memory/1092-571-0x0000000000970000-0x0000000000EB5000-memory.dmp

Filesize
5.3MB

Download
memory/1092-645-0x0000000003F20000-0x0000000004465000-memory.dmp

Filesize
5.3MB

Download
memory/1360-591-0x0000000000970000-0x0000000000EB5000-memory.dmp

Filesize
5.3MB

Download
memory/1456-365-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1456-1845-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1456-367-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-384-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-635-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-502-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-366-0x0000000000590000-0x0000000000593000-memory.dmp

Filesize
12KB

Download
memory/1456-1623-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-1417-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-368-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1456-1422-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/1456-172-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-386-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1456-388-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1456-422-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-423-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1456-445-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/1456-1539-0x0000000001090000-0x0000000001478000-memory.dmp

Filesize
3.9MB

Download
memory/1456-1540-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1760-486-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1760-488-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1760-485-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1760-1423-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1760-487-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1792-547-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/1792-1558-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/1792-489-0x0000000000390000-0x0000000000778000-memory.dmp

Filesize
3.9MB

Download
memory/1792-567-0x0000000000390000-0x0000000000778000-memory.dmp

Filesize
3.9MB

Download
memory/1792-549-0x0000000005700000-0x0000000005C45000-memory.dmp

Filesize
5.3MB

Download
memory/1792-1560-0x0000000005700000-0x0000000005C45000-memory.dmp

Filesize
5.3MB

Download
memory/1792-559-0x0000000005700000-0x0000000005C45000-memory.dmp

Filesize
5.3MB

Download
memory/1792-1616-0x0000000000390000-0x0000000000778000-memory.dmp

Filesize
3.9MB

Download
memory/1792-551-0x0000000005700000-0x0000000005C45000-memory.dmp

Filesize
5.3MB

Download
memory/1792-550-0x0000000005700000-0x0000000005C45000-memory.dmp

Filesize
5.3MB

Download
memory/1944-167-0x0000000002E40000-0x0000000003228000-memory.dmp

Filesize
3.9MB

Download
memory/1944-383-0x0000000002E40000-0x0000000003228000-memory.dmp

Filesize
3.9MB

Download
memory/1944-68-0x0000000002E40000-0x0000000003228000-memory.dmp

Filesize
3.9MB

Download
memory/2572-2009-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2572-2012-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2572-2013-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2572-2029-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download